Subject: Suspicious bracketed reference

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems.

Sublime rule (View on GitHub)

 1name: "Subject: Suspicious bracketed reference"
 2description: "Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.contains(subject.base, '[')
 8  and strings.ends_with(subject.base, ']')
 9  and any(regex.extract(subject.base,
10                        '\[(?P<first>.)(?P<second>.)\-(?P<second_part>[^\-]+)\-(?P<third_section>[^\]]+)\]$'
11          ),
12          .named_groups["first"] == .named_groups["second"]
13          and regex.match(.named_groups["second_part"], '^\d+$')
14          and regex.contains(.named_groups["third_section"], '\d+$')
15          and strings.istarts_with(.named_groups["third_section"],
16                                   .named_groups["first"]
17          )
18  )  
19attack_types:
20  - "Credential Phishing"
21tactics_and_techniques:
22  - "Evasion"
23  - "Impersonation: Brand"
24detection_methods:
25  - "Header analysis"
26  - "Content analysis"
27id: "663dbce4-0403-5baf-bf30-45c38a09f9c7"
to-top