Link: Unformatted template with literal placeholder in mailto link

Detects inbound messages containing mailto links whose href URL still contains an unresolved template placeholder, indicating the sender used a templating system but failed to substitute real values before sending. Two patterns are flagged: an '@{domain}' placeholder, treated as a strong standalone signal; and a '{RECIPIENT_EMAIL}' or '{SENDER_EMAIL}' placeholder (case-insensitive, allowing an underscore or space before 'EMAIL'), which fires only when the NLU classifier detects high-confidence credential-theft (cred_theft) or business-email-compromise (bec) intent in the current thread, suppressing benign templated mail.

Sublime rule (View on GitHub)

 1name: "Link: Unformatted template with literal placeholder in mailto link"
 2description: "Detects inbound messages containing mailto links whose href URL still contains an unresolved template placeholder, indicating the sender used a templating system but failed to substitute real values before sending. Two patterns are flagged: an '@{domain}' placeholder, treated as a strong standalone signal; and a '{RECIPIENT_EMAIL}' or '{SENDER_EMAIL}' placeholder (case-insensitive, allowing an underscore or space before 'EMAIL'), which fires only when the NLU classifier detects high-confidence credential-theft (cred_theft) or business-email-compromise (bec) intent in the current thread, suppressing benign templated mail."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.scheme == "mailto"
 9          and (
10            // @{domain} pattern is strong
11            regex.icontains(.href_url.url, '@\s*{\s*domain\s*}')
12            // combine {RECIPIENT_EMAIL} and {SENDER EMAIL} with NLU to remove a bunch of
13            // benign use cases
14            or (
15              regex.icontains(.href_url.url,
16                              '{\s*(?:RECIPIENT|SENDER)[_\s]?EMAIL\s*}'
17              )
18              and any(ml.nlu_classifier(body.current_thread.text).intents,
19                      .name in ("cred_theft", "bec") and .confidence == "high"
20              )
21            )
22          )
23  )  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Social engineering"
28  - "Evasion"
29detection_methods:
30  - "URL analysis"
31  - "Content analysis"
32id: "b27e9e2a-a979-584f-9da7-a2936829ae0c"
to-top