Suspicious display name: Gmail sender with engaging languages

calendar Feb 3, 2026  ·
Share on: linkedin copy

Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts.

Sublime rule (View on GitHub)

 1name: "Suspicious display name: Gmail sender with engaging languages"
 2description: "Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and 2 of (
 8    strings.icontains(sender.display_name, "kindly"),
 9    strings.icontains(sender.display_name, 'phone'),
10    strings.icontains(sender.display_name, 'cell'),
11    strings.icontains(sender.display_name, 'expedite'),
12    strings.icontains(sender.display_name, 'urgent'),
13    strings.icontains(sender.display_name, 'contact'),
14    strings.icontains(sender.display_name, 'review'),
15    strings.icontains(sender.display_name, 'confirm'),
16    strings.icontains(sender.display_name, 'asap'),
17    strings.icontains(sender.display_name, 'follow up'),
18    strings.icontains(sender.display_name, 'nicely'),
19    strings.icontains(sender.display_name, 'btc'),
20    strings.icontains(sender.display_name, 'reply'),
21    strings.icontains(sender.display_name, 'respond'),
22    strings.icontains(sender.display_name, 'verify'),
23    strings.icontains(sender.display_name, 'convenience'),
24    strings.icontains(sender.display_name, 'response'),
25    strings.icontains(sender.display_name, 'number'),
26    strings.icontains(sender.display_name, 'mobile'),
27    strings.icontains(sender.display_name, 'text'),
28    strings.icontains(sender.display_name, 'request'),
29    strings.icontains(sender.display_name, 'required'),
30    strings.icontains(sender.display_name, 'important'),
31    strings.icontains(sender.display_name, 'need'),
32    strings.icontains(sender.display_name, 'quick'),
33    strings.icontains(sender.display_name, 'sensitive'),
34    strings.icontains(sender.display_name, 'reach'),
35    strings.icontains(sender.display_name, 'action'),
36  )
37  and sender.email.domain.domain == 'gmail.com'
38  and length(attachments) == 0
39  and length(body.current_thread.links) == 0  
40
41attack_types:
42  - "BEC/Fraud"
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Social engineering"
46detection_methods:
47  - "Sender analysis"
48id: "82ca0ff1-e823-5930-aa2d-7d2b572a528b"
to-top