Service Abuse: Nifty.com with impersonation

calendar Nov 5, 2025  ·
Share on: linkedin copy

Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns

Sublime rule (View on GitHub)

 1name: "Service Abuse: Nifty.com with impersonation"
 2description: "Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "nifty.com"
 8  and (
 9    sender.email.local_part in map(recipients.to, .email.local_part)
10    or sender.email.local_part in $org_slds
11  )
12  
13  and ml.nlu_classifier(body.current_thread.text).language != "japanese"
14  
15  // and no false positives and not solicited
16  and not profile.by_sender_email().any_messages_benign
17  and not profile.by_sender_email().solicited  
18
19attack_types:
20  - "Credential Phishing"
21tactics_and_techniques:
22  - "Spoofing"
23detection_methods:
24  - "Sender analysis"
25id: "370cfdac-4976-59a1-ae1f-7cd5594eb958"
to-top