Link: Self-sender with sender org in subject and credential theft indicator

calendar Jan 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves.

Sublime rule (View on GitHub)

 1name: "Link: Self-sender with sender org in subject and credential theft indicator"
 2description: "Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // self sender behavior
 8  and length(recipients.to) == 1
 9  and length(recipients.cc) == 0
10  and sender.email.email == recipients.to[0].email.email
11  
12  // not self sender from the org_domain, this rule is not going to detect spoofed domains to limit FPs caused by various email auth issues.
13  and not sender.email.domain.domain in $org_domains
14  and profile.by_sender_email().prevalence == "new"
15  
16  // org name in the subject, removing the subject from NLU to prevent the org being extracted from the subject
17  and any(filter(ml.nlu_classifier(body.current_thread.text, subject="").entities,
18                 .name == "org"
19                 and .text != sender.email.domain.sld
20                 and .text != sender.email.domain.domain
21          ),
22          // not an icontains, make it an exact match
23          strings.contains(subject.base, .text)
24  )
25  // must contain a link
26  and 0 < length(body.current_thread.links) < 20
27  
28  // cred theft
29  and any(ml.nlu_classifier(body.current_thread.text).intents,
30          .name == "cred_theft" and .confidence == "high"
31  )
32  // all attachments are inline images or there are 0 attachments
33  and (
34    length(attachments) == 0
35    // there are only image attachments and all image attachments are served inline
36    or (
37      length(attachments) > 0
38      and (
39        all(attachments,
40            .file_type in $file_types_images
41            // all images are embedded in the html
42            and strings.icontains(body.html.raw,
43                                  strings.concat('src="cid:', .content_id)
44            )
45        )
46      )
47    )
48  )  
49tags:
50 - "Attack surface reduction"
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Social engineering"
55  - "Evasion"
56detection_methods:
57  - "Natural Language Understanding"
58  - "Content analysis"
59  - "Sender analysis"
60  - "URL analysis"
61  - "Header analysis"
62id: "bfa9aa08-ed3b-5e4a-a83c-192efd126530"

Related rules

to-top