Spam: Fake dating profile notification

calendar Dec 3, 2025  ·
Share on: linkedin copy

Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body.

Sublime rule (View on GitHub)

 1name: "Spam: Fake dating profile notification"
 2description: "Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain in $free_email_providers
 8  // not a reply
 9  and length(headers.references) == 0
10  and 0 < length(distinct(body.current_thread.links, .href_url.domain.root_domain)
11  ) <= 3
12  and any(body.links,
13          any(.href_url.query_params_decoded["email"],
14              strings.parse_email(.).email in map(recipients.to, .email.email)
15          )
16  )
17  and (
18    any(ml.nlu_classifier(body.current_thread.text).entities,
19        .name == "org"
20        and strings.ilike(.text, "*Date*", "*Dating*", "*Girls*", "*Love*")
21    )
22    or any(ml.nlu_classifier(body.current_thread.text).topics, .name == "Romance")
23  )  
24
25attack_types:
26  - "Spam"
27tactics_and_techniques:
28  - "Free email provider"
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "Header analysis"
33  - "Natural Language Understanding"
34  - "Sender analysis"
35  - "URL analysis"
36id: "0f33fea2-1508-5ae8-a31b-9d498dfcadba"
to-top