Suspicious recipients pattern with NLU credential theft indicators

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain

Sublime rule (View on GitHub)

 1name: "Suspicious recipients pattern with NLU credential theft indicators"
 2description: "Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(recipients.to) == 0
 9    or all(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
10  )
11  and length(recipients.cc) == 0
12  and 0 <= length(recipients.bcc) <= 1
13  and any(body.links, .href_url.domain.root_domain not in $tranco_1m)
14  and (
15    any(body.links,
16        regex.icontains(.display_text,
17                        '(view|click|download|goto)?(attachment|download|file|online|document)s?'
18        )
19        or all(body.links, regex.match(.display_text, "[A-Z ]+"))
20    )
21  )
22  and any(ml.nlu_classifier(body.current_thread.text).intents,
23          .name in ("cred_theft") and .confidence in ("medium", "high")
24  )  
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Evasion"
29detection_methods:
30  - "Content analysis"
31  - "Header analysis"
32  - "Natural Language Understanding"
33  - "URL analysis"
34id: "8e121c3e-b9cf-5aa3-b799-e025a69b7d8c"
to-top