Credential phishing: Fake card notification with tracking lure

calendar Mar 24, 2026  ·
Share on: linkedin copy

Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links.

Sublime rule (View on GitHub)

 1name: "Credential phishing: Fake card notification with tracking lure"
 2description: "Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      regex.icontains(subject.base, '\bcard\b')
10      or regex.icontains(body.current_thread.text, '\bcard\b')
11    )
12    and strings.ilike(body.current_thread.text,
13                      "*could be with you*",
14                      "*currently accessible*",
15                      "*collect bank details*",
16                      "*not a financial institution*"
17    )
18  )
19  and any(body.links,
20          strings.ilike(.display_text,
21                        "*track order*",
22                        "*track*card*",
23                        "*card status*"
24          )
25  )
26  and any(ml.nlu_classifier(body.current_thread.text).intents,
27          .name == "cred_theft" and .confidence == "high"
28  )
29  and not (
30    sender.email.domain.root_domain in $high_trust_sender_root_domains
31    and coalesce(headers.auth_summary.dmarc.pass, false)
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Social engineering"
37detection_methods:
38  - "Content analysis"
39  - "Natural Language Understanding"
40  - "URL analysis"
41  - "Sender analysis"
42id: "22cec280-7dfa-5da0-bd2b-8a5bfd83fa5c"
to-top