Fake message thread with a suspicious link and engaging language from an unknown sender

calendar Nov 12, 2025  ยท
Share on: linkedin copy

Detects fake message threads with suspicious links and financial request language

Sublime rule (View on GitHub)

 1name: "Fake message thread with a suspicious link and engaging language from an unknown sender"
 2description: "Detects fake message threads with suspicious links and financial request language"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  
 9  // fake thread check
10  and (subject.is_reply or subject.is_forward)
11  
12  // Check for the Presence of References or In-Reply-To properties
13  and (
14    (length(headers.references) == 0 and headers.in_reply_to is null)
15    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
16  )
17  
18  // sender's domain is not in body, and body has > 0 links
19  and length(body.links) > 0
20  and sender.email.domain.root_domain not in $free_email_providers
21  and not any(body.links,
22              .href_url.domain.root_domain == sender.email.domain.root_domain
23  )
24  
25  // unusual sender (email address rarely sends to your organization)
26  and sender.email.email not in $sender_emails
27  
28  // unusual sender domain (domain rarely sends to your organization)
29  and sender.email.domain.domain not in $sender_domains
30  and 4 of (
31    // language attempting to engage
32    (
33      any(ml.nlu_classifier(body.current_thread.text).entities,
34          .name == "request"
35      )
36      and any(ml.nlu_classifier(body.current_thread.text).entities,
37              .name == "financial"
38      )
39    ),
40  
41    // invoicing language
42    any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
43  
44    // urgency request
45    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
46  
47    // cred_theft detection
48    any(ml.nlu_classifier(body.current_thread.text).intents,
49        .name == "cred_theft" and .confidence in~ ("medium", "high")
50    ),
51  
52    // commonly abused sender TLD
53    strings.ilike(sender.email.domain.tld, "*.jp"),
54  
55    // headers traverse abused TLD
56    any(headers.domains, strings.ilike(.tld, "*.jp")),
57  
58    // known suspicious pattern in the URL path
59    any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
60  
61    // link display text is in all caps
62    any(body.links, regex.match(.display_text, '[A-Z ]+')),
63  
64    // display name contains an email
65    regex.contains(sender.display_name, '[a-z0-9]+@[a-z]+'),
66  
67    // Sender domain is empty
68    sender.email.domain.domain == "",
69  
70    // sender domain matches no body domains
71    all(body.links,
72        .href_url.domain.root_domain != sender.email.domain.root_domain
73    ),
74  )
75
76  // negate highly trusted sender domains unless they fail DMARC authentication
77  and (
78    (
79      sender.email.domain.root_domain in $high_trust_sender_root_domains
80      and not headers.auth_summary.dmarc.pass
81    )
82    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
83  )
84    
85attack_types:
86  - "Credential Phishing"
87tactics_and_techniques:
88  - "Social engineering"
89detection_methods:
90  - "Content analysis"
91  - "Header analysis"
92  - "Natural Language Understanding"
93  - "Sender analysis"
94  - "URL analysis"
95id: "8fd0e211-285d-5cbd-9c11-868c0501b526"
to-top