Spam: Website errors solicitation

calendar Nov 17, 2025 · Attack surface reduction  ·
Share on: linkedin copy

This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request.

Sublime rule (View on GitHub)

 1name: "Spam: Website errors solicitation"
 2description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    sender.email.email not in $recipient_emails
 9    or not profile.by_sender().solicited
10  )
11  and 1 of (
12    // Single thread message groups
13    (
14      length(attachments) == 0
15      and length(body.links) == 0
16      and length(body.previous_threads) == 0
17      and 20 < length(body.current_thread.text) < 500
18      and regex.icontains(body.current_thread.text, "screenshot|error list|plan")
19      and regex.icontains(body.current_thread.text, ".*(hi|hello|hey)")
20      and regex.icontains(body.current_thread.text, ".*(error|report|issues)")
21      and regex.icontains(body.current_thread.text, ".*(site|website)")
22      and regex.icontains(subject.subject,
23                          ".*(proposal|cost|report|error|audit|screenshot)"
24      )
25    ),
26    // Single thread message groups but with 1 unsubscribe link or link is recipient
27    (
28      length(attachments) == 0
29      and length(body.links) == 1
30      and (
31        regex.icontains(body.html.raw, "mailto:*[++unsubscribe@]")
32        or any(body.links, .href_url.domain.root_domain in~ $org_domains)
33      )
34      and length(body.previous_threads) == 0
35      and 20 < length(body.current_thread.text) < 500
36      and regex.icontains(body.current_thread.text, "screenshot|error list|plan")
37      and regex.icontains(body.current_thread.text, ".*(hi|hello|hey)")
38      and regex.icontains(body.current_thread.text, ".*(error|report|issues)")
39      and regex.icontains(body.current_thread.text, ".*(site|website)")
40      and regex.icontains(subject.subject,
41                          ".*(proposal|cost|report|error|audit|screenshot)"
42      )
43    ),
44    // Multiple thread message groups
45    (
46      length(attachments) == 0
47      and length(body.links) == 0
48      and length(body.previous_threads) < 5
49      and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit)")
50      and any(body.previous_threads,
51              length(.text) < 400
52              and regex.icontains(.text, '.*(hey|hi|hello)')
53              and regex.icontains(.text, '.*(\berror(?:\s+list)?\b|screenshot|report|plan)')
54              and strings.count(.text, "?") >= 3
55              and ml.nlu_classifier(.text).language == "english"
56      )
57    )
58  )  
59
60tags:
61  - "Attack surface reduction"
62attack_types:
63  - "Spam"
64detection_methods:
65  - "Content analysis"
66  - "Sender analysis"
67  - "Natural Language Understanding"
68id: "122ea794-f619-5f29-acb2-83261d8f81fc"

Related rules

to-top