Link: Unformatted template with literal placeholder in mailto link
Detects inbound messages containing mailto links whose href URL still contains an unresolved template placeholder, indicating the sender used a templating system but failed to substitute real values before sending. Two patterns are flagged: an '@{domain}' placeholder, treated as a strong standalone signal; and a '{RECIPIENT_EMAIL}' or '{SENDER_EMAIL}' placeholder (case-insensitive, allowing an underscore or space before 'EMAIL'), which fires only when the NLU classifier detects high-confidence credential-theft (cred_theft) or business-email-compromise (bec) intent in the current thread, suppressing benign templated mail.
Sublime rule (View on GitHub)
1name: "Link: Unformatted template with literal placeholder in mailto link"
2description: "Detects inbound messages containing mailto links whose href URL still contains an unresolved template placeholder, indicating the sender used a templating system but failed to substitute real values before sending. Two patterns are flagged: an '@{domain}' placeholder, treated as a strong standalone signal; and a '{RECIPIENT_EMAIL}' or '{SENDER_EMAIL}' placeholder (case-insensitive, allowing an underscore or space before 'EMAIL'), which fires only when the NLU classifier detects high-confidence credential-theft (cred_theft) or business-email-compromise (bec) intent in the current thread, suppressing benign templated mail."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.scheme == "mailto"
9 and (
10 // @{domain} pattern is strong
11 regex.icontains(.href_url.url, '@\s*{\s*domain\s*}')
12 // combine {RECIPIENT_EMAIL} and {SENDER EMAIL} with NLU to remove a bunch of
13 // benign use cases
14 or (
15 regex.icontains(.href_url.url,
16 '{\s*(?:RECIPIENT|SENDER)[_\s]?EMAIL\s*}'
17 )
18 and any(ml.nlu_classifier(body.current_thread.text).intents,
19 .name in ("cred_theft", "bec") and .confidence == "high"
20 )
21 )
22 )
23 )
24attack_types:
25 - "Credential Phishing"
26tactics_and_techniques:
27 - "Social engineering"
28 - "Evasion"
29detection_methods:
30 - "URL analysis"
31 - "Content analysis"
32id: "b27e9e2a-a979-584f-9da7-a2936829ae0c"