Medium Severity

Suspicious subject with long procedurally generated text blob

Labels

Description

This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

References

No references.

Sublime Security

Created Mar 12th, 2025 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// "#" symbol, and then letters, numbers or more symbols (-#)
and regex.imatch(subject.subject, ".*#[a-z0-9-#]+$")
// not JUST letters
and not regex.imatch(subject.subject, ".*#[a-z-]+$")
// not JUST numbers
and not regex.imatch(subject.subject, ".*#[0-9-]+$")
and not any(beta.ml_topic(body.current_thread.text).topics,
            .name in (
              "Professional and Career Development",
              "Reminders and Notifications"
            )
            and .confidence == "high"
)

// and 1 other suspicious element
and 2 of (
  any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)),
  (
    regex.imatch(sender.display_name, ".*#[a-z0-9-#]+$")
    and not regex.imatch(subject.subject, ".*#[a-z-]+$")
    and not regex.imatch(subject.subject, ".*#[0-9-]+$")
  ),
  any(ml.nlu_classifier(subject.subject).intents,
      .name == "cred_theft" and .confidence == "high"
  ),
  body.current_thread.text is null
)

// standard negations
and not profile.by_sender_email().any_messages_benign
and not profile.by_sender_email().solicited
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.