Service abuse: Nylas tracking subdomain with suspicious content

calendar Mar 6, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages containing links to Nylas tracking subdomains with display text and suspicious language patterns, indicating potential abuse of the email tracking service.

Sublime rule (View on GitHub)

 1name: "Service abuse: Nylas tracking subdomain with suspicious content"
 2description: "Detects messages containing links to Nylas tracking subdomains with display text and suspicious language patterns, indicating potential abuse of the email tracking service."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(body.current_thread.links, .href_url.domain.sld == "nylas"),
 8          .display_text is not null
 9          and strings.icontains(.href_url.domain.subdomain, 'tracking')
10  )
11  and any(ml.nlu_classifier(body.current_thread.text).intents,
12          .name == "cred_theft" and .confidence != "low"
13  )  
14tags:
15  - "Attack surface reduction"
16attack_types:
17  - "BEC/Fraud"
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Evasion"
21  - "Social engineering"
22detection_methods:
23  - "Content analysis"
24  - "Natural Language Understanding"
25  - "URL analysis"
26id: "a3a6c896-1d1e-5a7c-ad72-6adda57a329f"

Related rules

to-top