Service Abuse: Nifty.com with impersonation

calendar Dec 19, 2025  ·
Share on: linkedin copy

Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns

Sublime rule (View on GitHub)

 1name: "Service Abuse: Nifty.com with impersonation"
 2description: "Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "nifty.com"
 8  and (
 9    sender.email.local_part in map(recipients.to, .email.local_part)
10    or sender.email.local_part in $org_slds
11  )
12  
13  and ml.nlu_classifier(body.current_thread.text).language != "japanese"
14  
15  // and no false positives and not solicited
16  and not profile.by_sender_email().any_messages_benign  
17
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Spoofing"
22detection_methods:
23  - "Sender analysis"
24id: "370cfdac-4976-59a1-ae1f-7cd5594eb958"
to-top