Link: Self-sender credential theft with configuration placeholder

calendar May 27, 2026  ·
Share on: linkedin copy

Detects messages where the sender and recipient are the same address, containing credential theft language and links with configuration placeholder text indicating a phishing lure.

Sublime rule (View on GitHub)

 1name: "Link: Self-sender credential theft with configuration placeholder"
 2description: "Detects messages where the sender and recipient are the same address, containing credential theft language and links with configuration placeholder text indicating a phishing lure."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // self sender
 8  and length(recipients.to) == 1
 9  and sender.email.email == recipients.to[0].email.email
10  and any(body.current_thread.links,
11          strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
12                           '/*──── CONFIG: Replace with your lure URL ────*/'
13          )
14  )  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Social engineering"
19  - "Evasion"
20detection_methods:
21  - "Natural Language Understanding"
22  - "Content analysis"
23  - "URL analysis"
24  - "Header analysis"
25id: "dbf2ce70-9637-5c05-a98c-5af01c687d17"
to-top