• Sublime Core Feed
Medium Severity

Twitter infrastructure abuse via link shortener

Labels

Credential Phishing
Malware/Ransomware
Spam
Evasion
Impersonation: Brand
Social engineering
Content analysis
Sender analysis
URL analysis

Description

Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.

References

No references.

Sublime Security
Created Mar 6th, 2024 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.links) < 10
and any(body.links, .href_url.domain.root_domain == "t.co")
and sender.email.domain.domain not in~ (
  'twitter.com',
  'x.com',
  'twitter.discoursemail.com'
)
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started