Attachment: Cold outreach with invitation subject and not attachment

calendar Apr 3, 2026  ·
Share on: linkedin copy

Detects inbound messages with invitation-related subjects that request recipients to view attachments, contain no links, and are classified as B2B cold outreach with high confidence. Messages either have no attachments or contain a single image attachment.

Sublime rule (View on GitHub)

 1name: "Attachment: Cold outreach with invitation subject and not attachment"
 2description: "Detects inbound messages with invitation-related subjects that request recipients to view attachments, contain no links, and are classified as B2B cold outreach with high confidence. Messages either have no attachments or contain a single image attachment."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.icontains(subject.subject, 'invit')
 8  and length(body.links) == 0
 9  // please find attached language
10  and regex.icontains(body.current_thread.text,
11                      '(?:please|find|view).{0,50}attached'
12  )
13  // a single image attachment or there are 0 attachments
14  and (
15    (
16      length(attachments) == 1
17      and all(attachments, .file_type in $file_types_images)
18    )
19    or length(attachments) == 0
20  )
21  and any(ml.nlu_classifier(body.current_thread.text).topics,
22          .name == "B2B Cold Outreach" and .confidence == "high"
23  )  
24attack_types:
25  - "Spam"
26tactics_and_techniques:
27  - "Social engineering"
28  - "Image as content"
29detection_methods:
30  - "Content analysis"
31  - "Natural Language Understanding"
32  - "File analysis"
33id: "883d04a9-a43d-5c9a-bb4b-b8b158e593fb"
to-top