Medium Severity

Xero infrastructure abuse

Labels

Credential Phishing

Evasion

Social engineering

Content analysis

Header analysis

Natural Language Understanding

URL analysis

Description

Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks.

References

No references.

Sublime Security

Created May 9th, 2025 • Last updated Nov 3rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.email == "messaging-service@post.xero.com"
and 
// there are external links (not org or xero domains)
length(filter(body.links,
              .href_url.domain.domain not in $org_domains
              and .href_url.domain.root_domain not in ("xero.com", )
       )
) > 0
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence == "high"
  )
  // subject match when cred_theft doesn't match
  // high confidence observed subject intros in the format of "Urgent Thing: ..."
  or regex.icontains(subject.subject,
                     '^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
  )
  or any(ml.logo_detect(file.message_screenshot()).brands,
         .name in ("Facebook", "Meta", "Instagram")
         and .confidence in ("medium", "high")
  )
  // any of the links are for newly registered domains
  or any(filter(body.links,
                .href_url.domain.domain not in $org_domains
                and .href_url.domain.root_domain not in ("xero.com")
         ),
         network.whois(.href_url.domain).days_old < 30
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("B2B Cold Outreach", "Professional and Career Development")
        and .confidence != "low"
    )
  )
  // sender display name or subject contains confusables
  or (
    sender.display_name != strings.replace_confusables(sender.display_name)
    or subject.subject != strings.replace_confusables(subject.subject)
  )
  // IP pool appears to be tagged by Xero via Mailgun
  // https://help.mailgun.com/hc/en-us/articles/360052184214-IP-Pools
  or any(headers.hops,
         any(.fields,
             .name == "X-Mailgun-Sending-Ip-Pool-Name"
             and .value == "High Risk Pool"
         )
  )
)
and (
  ( // sender domain matches no body domains
    length(body.links) > 0
    and all(body.links,
            .href_url.domain.root_domain not in ("xero.com", )
            or .href_url.domain.root_domain is null
    )
  )
  // link contains email address
  or any(recipients.to,
         .email.domain.valid
         and any(body.links,
                 strings.icontains(.href_url.url, ..email.email)
                 or any(beta.scan_base64(.href_url.url,
                                         format="url",
                                         ignore_padding=true
                        ),
                        strings.icontains(., ...email.email)
                 )
                 or any(beta.scan_base64(.href_url.fragment,
                                         ignore_padding=true
                        ),
                        strings.icontains(., ...email.email)
                 )
                 // cloudflare turnstile or phishing warning page
                 or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                                      "cloudflare"
                 )
         )
  )
  or regex.icontains(subject.subject, "termination.*notice")
  or any(ml.nlu_classifier(body.current_thread.text).entities,
         .name in ("sender", "org")
         and regex.icontains(.text, 'Recruitment|staffing|\bhr\b')
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.