Spam: Website errors solicitation

calendar Oct 30, 2025 · Attack surface reduction  ·
Share on: linkedin copy

This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request.

Sublime rule (View on GitHub)

 1name: "Spam: Website errors solicitation"
 2description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    sender.email.email not in $recipient_emails
 9    or not profile.by_sender().solicited
10  )
11  and 1 of (
12      // Single thread message groups
13    (
14      length(attachments) == 0
15      and length(body.links) == 0
16      and length(body.previous_threads) == 0
17      and 20 < length(body.current_thread.text) < 500
18      and regex.icontains(body.current_thread.text, "screenshot")
19      and regex.icontains(body.current_thread.text, '.*(hi|hello|hey)')
20      and regex.icontains(body.current_thread.text, ".*(error|report|issues)")
21      and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit|screenshot)")
22    ),
23    // Single thread message groups but with 1 unsubscribe link
24    (
25      length(attachments) == 0
26      and length(body.links) == 1
27      and regex.icontains(body.html.raw, "mailto:*[++unsubscribe@]")
28      and length(body.previous_threads) == 0
29      and 20 < length(body.current_thread.text) < 500
30      and regex.icontains(body.current_thread.text, "screenshot")
31      and regex.icontains(body.current_thread.text, '.*(hi|hello|hey)')
32      and regex.icontains(body.current_thread.text, ".*(error|report|issues)")
33      and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit|screenshot)")
34    ),
35    // Multiple thread message groups
36    (
37      length(attachments) == 0
38      and length(body.links) == 0
39      and length(body.previous_threads) < 5
40      and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit)")
41      and any(body.previous_threads,
42              length(.text) < 400
43              and regex.icontains(.text, '.*(hey|hi|hello)')
44              and regex.icontains(.text, ".*(error|screenshot|report)")
45              and strings.count(.text, "?") >= 3
46              and ml.nlu_classifier(.text).language == "english"
47      )
48    )
49  )  
50
51tags:
52  - "Attack surface reduction"
53attack_types:
54  - "Spam"
55detection_methods:
56  - "Content analysis"
57  - "Sender analysis"
58  - "Natural Language Understanding"
59id: "122ea794-f619-5f29-acb2-83261d8f81fc"

Related rules

to-top