Link: Self-sender with sender org in subject and credential theft indicator

calendar Dec 11, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves.

Sublime rule (View on GitHub)

 1name: "Link: Self-sender with sender org in subject and credential theft indicator"
 2description: "Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // self sender behavior
 8  and length(recipients.to) == 1
 9  and length(recipients.cc) == 0
10  and sender.email.email == recipients.to[0].email.email
11  
12  // not self sender from the org_domain, this rule is not going to detect spoofed domains to limit FPs caused by various email auth issues.
13  and not sender.email.domain.domain in $org_domains
14  
15  and profile.by_sender_email().prevalence == "new"
16  
17  // org name in the subject, removing the subject from NLU to prevent the org being extracted from the subject
18  and any(filter(ml.nlu_classifier(body.current_thread.text, subject="").entities,
19                 .name == "org"
20                 and .text != sender.email.domain.sld
21                 and .text != sender.email.domain.domain
22          ),
23          // not an icontains, make it an exact match
24          strings.contains(subject.base, .text)
25  )
26  // must contain a link
27  and 0 < length(body.current_thread.links) < 20
28  
29  // cred theft
30  and any(ml.nlu_classifier(body.current_thread.text).intents,
31          .name == "cred_theft" and .confidence == "high"
32  )
33  // all attachments are inline images or there are 0 attachments
34  and (
35    length(attachments) == 0
36    // there are only image attachments and all image attachments are served inline
37    or (
38      length(attachments) > 0
39      and (
40        all(attachments,
41            .file_type in $file_types_images
42            // all images are embedded in the html
43            and strings.icontains(body.html.raw,
44                                  strings.concat('src="cid:', .content_id)
45            )
46        )
47      )
48    )
49  )  
50tags:
51 - "Attack surface reduction"
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Social engineering"
56  - "Evasion"
57detection_methods:
58  - "Natural Language Understanding"
59  - "Content analysis"
60  - "Sender analysis"
61  - "URL analysis"
62  - "Header analysis"
63id: "bfa9aa08-ed3b-5e4a-a83c-192efd126530"

Related rules

to-top