Self-sender with copy/paste instructions and suspicious domains (French/Français)

calendar Apr 16, 2026  ·
Share on: linkedin copy

Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values.

Sublime rule (View on GitHub)

 1name: "Self-sender with copy/paste instructions and suspicious domains (French/Français)"
 2description: "Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // self sender
 8  and (
 9    length(recipients.to) == 1
10    and length(recipients.cc) == 0
11    and sender.email.email in map(recipients.to, .email.email)
12  )
13  and strings.icontains(subject.subject, sender.email.email)
14  and strings.icontains(subject.subject, sender.display_name)
15  and sender.email.email != sender.display_name
16  // copy
17  and strings.icontains(body.current_thread.text, 'copier')
18  // paste
19  and strings.icontains(body.current_thread.text, 'coller')
20  and (
21    strings.contains(body.current_thread.text, '.pages.dev')
22    or strings.contains(body.current_thread.text, '.web.app')
23  )  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Evasion"
28  - "Free subdomain host"
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "Header analysis"
33  - "Sender analysis"
34id: "f51a5025-71f6-5626-a292-3e75dda0a1e7"
to-top