Spam: Website errors solicitation

calendar Dec 10, 2025 · Attack surface reduction  ·
Share on: linkedin copy

This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request.

Sublime rule (View on GitHub)

  1name: "Spam: Website errors solicitation"
  2description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request."
  3type: "rule"
  4severity: "low"
  5source: |
  6  type.inbound
  7  and (
  8    sender.email.email not in $recipient_emails
  9    or not profile.by_sender().solicited
 10  )
 11  and 1 of (
 12    // Single thread message groups
 13    (
 14      length(attachments) == 0
 15      and length(body.links) == 0
 16      and length(body.previous_threads) == 0
 17      and 20 < length(body.current_thread.text) < 500
 18      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 19                          "(?:screenshot|error list|plan|quote|rank|professional|price|mistake)"
 20      )
 21      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 22                          'h(?:i|ello|ey)\b'
 23      )
 24      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 25                          '(?:error|report|issues|repair|redesign|upgrade|Google\s+.{0,15}find it)'
 26      )
 27      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 28                          "(?:site|website|page)"
 29      )
 30      and (
 31        regex.icontains(strings.replace_confusables(subject.subject),
 32                        "(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design)"
 33        )
 34        or (
 35          strings.icontains(strings.replace_confusables(subject.subject), "report")
 36          and regex.icontains(strings.replace_confusables(body.current_thread.text),
 37                              "(?:free|send you|can i send|may i send|let me know|interested|get back to me|reply back|just reply)"
 38          )
 39        )
 40        or length(subject.base) < 5
 41      )
 42    ),
 43    // Single thread message groups but with 1 unsubscribe link or link is recipient
 44    (
 45      length(attachments) == 0
 46      and length(body.links) == 1
 47      and (
 48        regex.icontains(body.html.raw, "mailto:*[++unsubscribe@]")
 49        or any(body.links, .href_url.domain.root_domain in~ $org_domains)
 50      )
 51      and length(body.previous_threads) == 0
 52      and 20 < length(body.current_thread.text) < 500
 53      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 54                          "(?:screenshot|error list|plan|quote|rank|professional|price)"
 55      )
 56      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 57                          'h(?:i|ello|ey)\b'
 58      )
 59      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 60                          '(?:error|report|issues|website|repair|redesign|upgrade|Google\s+.{0,15}find it)'
 61      )
 62      and regex.icontains(strings.replace_confusables(body.current_thread.text),
 63                          "(?:site|website|page)"
 64      )
 65      and (
 66        regex.icontains(strings.replace_confusables(subject.subject),
 67                        "(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design)"
 68        )
 69        or (
 70          strings.icontains(strings.replace_confusables(subject.subject),
 71                            "report"
 72          )
 73          and regex.icontains(strings.replace_confusables(body.current_thread.text),
 74                              "(?:free|send you|can i send|may i send|let me know|interested|get back to me|reply back|just reply)"
 75          )
 76        )
 77        or length(subject.base) < 5
 78      )
 79    ),
 80    // Multiple thread message groups
 81    (
 82      length(attachments) == 0
 83      and length(body.links) == 0
 84      and length(body.previous_threads) < 5
 85      and (
 86        regex.icontains(strings.replace_confusables(subject.subject),
 87                        "(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design)"
 88        )
 89        or (
 90          (
 91            length(subject.base) < 5
 92            or subject.is_reply or subject.is_forward
 93          )
 94          and any(body.previous_threads,
 95                  regex.icontains(strings.replace_confusables(.text),
 96                                  "(?:screenshot|website)"
 97                  )
 98          )
 99        )
100      )
101      and any(body.previous_threads,
102              length(.text) < 400
103              and (
104                regex.icontains(strings.replace_confusables(.text),
105                                'h(?:i|ello|ey)\b'
106                )
107                or strings.icontains(strings.replace_confusables(.text),
108                                     "morning"
109                )
110              )
111              and regex.icontains(strings.replace_confusables(.text),
112                                  '(?:\berror(?:\s+list)?\b|screenshot|report|plan)'
113              )
114              and ml.nlu_classifier(.text).language == "english"
115      )
116    )
117  )  
118
119tags:
120  - "Attack surface reduction"
121attack_types:
122  - "Spam"
123detection_methods:
124  - "Content analysis"
125  - "Sender analysis"
126  - "Natural Language Understanding"
127id: "122ea794-f619-5f29-acb2-83261d8f81fc"

Related rules

to-top