High Severity

VIP impersonation: VIP recipient of previous thread with HTML generator

Description

Detects inbound messages that impersonate invoice communications impersonating organizational VIPs, where the message appears in a thread previously involving VIP recipients. The rule identifies a specific template technique where the HTML body contains markers associated with 'Advanced HTML parser' tooling or a suspicious '<title>HTML Message</title>' tag. Both are artifacts commonly left by tools used to craft or obfuscate invoice lure content. Observed samples spoof leadership-recognition invoice themes naming specific executives as the invoiced party.

References

No references.

Sublime Security
Created Jul 7th, 2026 • Last updated Jul 7th, 2026
Source
type.inbound
and any(body.previous_threads,
        any(.recipients.to,
            any($org_vips,
                strings.icontains(..display_name, .display_name)
                or strings.icontains(..email.email, .email)
            )
        )
)
and (
  strings.icontains(body.html.raw, 'Advanced HTML parser')
  or regex.icontains(body.html.raw, '<title>\s*HTML Message\s*</title>')
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started