Spam: Mastercard promotional content with image-based body

calendar Nov 5, 2025  ·
Share on: linkedin copy

Detects messages promoting untrustworthy Mastercard credit cards that contain both financial communications and promotional content topics, with the message body primarily consisting of image content rather than text. Excludes legitimate payment-related Mastercard communications and applies additional scrutiny to high-trust sender domains that fail DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Spam: Mastercard promotional content with image-based body"
 2description: "Detects messages promoting untrustworthy Mastercard credit cards that contain both financial communications and promotional content topics, with the message body primarily consisting of image content rather than text. Excludes legitimate payment-related Mastercard communications and applies additional scrutiny to high-trust sender domains that fail DMARC authentication."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and not subject.is_forward
 9  and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
10          .name == "Financial Communications"
11  )
12  and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
13          .name == "Advertising and Promotions"
14  )
15  
16  // mastercard mention
17  and strings.icontains(beta.ocr(file.message_screenshot()).text, "mastercard")
18  and not strings.icontains(beta.ocr(file.message_screenshot()).text,
19                            "paying with mastercard"
20  )
21  
22  // body is image
23  and (
24    length(beta.ocr(file.message_screenshot()).text) / length(body.current_thread.text
25    )
26  ) > 10
27  and length(body.previous_threads) == 0
28  
29  // negate highly trusted sender domains unless they fail DMARC authentication
30  and (
31    (
32      sender.email.domain.root_domain in $high_trust_sender_root_domains
33      and not headers.auth_summary.dmarc.pass
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )  
37
38attack_types:
39  - "Credential Phishing"
40  - "Spam"
41tactics_and_techniques:
42  - "Image as content"
43  - "Impersonation: Brand"
44  - "Social engineering"
45detection_methods:
46  - "Computer Vision"
47  - "Content analysis"
48  - "Header analysis"
49  - "Natural Language Understanding"
50  - "Optical Character Recognition"
51  - "Sender analysis"
52id: "5f2cb559-0db6-5aa0-b8ee-496d688eafa0"
to-top