Suspicious subject with long procedurally generated text blob

calendar Jan 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

Sublime rule (View on GitHub)

 1name: "Suspicious subject with long procedurally generated text blob"
 2description: "This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // "#" symbol, and then letters, numbers or more symbols (-#)
 8  and regex.imatch(subject.subject, ".*#[a-z0-9-#]+$")
 9  // not JUST letters
10  and not regex.imatch(subject.subject, ".*#[a-z-]+$")
11  // not JUST numbers
12  and not regex.imatch(subject.subject, ".*#[0-9-]+$")
13  and not any(beta.ml_topic(body.current_thread.text).topics,
14              .name in (
15                "Professional and Career Development",
16                "Reminders and Notifications"
17              )
18              and .confidence == "high"
19  )
20  
21  // and 1 other suspicious element
22  and 2 of (
23    any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)),
24    (
25      regex.imatch(sender.display_name, ".*#[a-z0-9-#]+$")
26      and not regex.imatch(subject.subject, ".*#[a-z-]+$")
27      and not regex.imatch(subject.subject, ".*#[0-9-]+$")
28    ),
29    any(ml.nlu_classifier(subject.subject).intents,
30        .name == "cred_theft" and .confidence == "high"
31    ),
32    body.current_thread.text is null
33  )
34  
35  // standard negations
36  and not profile.by_sender_email().any_messages_benign
37  and not profile.by_sender_email().solicited
38  and (
39    (
40      sender.email.domain.root_domain in $high_trust_sender_root_domains
41      and not headers.auth_summary.dmarc.pass
42    )
43    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
44  )  
45tags:
46 - "Attack surface reduction"
47attack_types:
48  - "Credential Phishing"
49  - "Spam"
50tactics_and_techniques:
51  - "Evasion"
52detection_methods:
53  - "Content analysis"
54  - "Sender analysis"
55id: "e819593d-b60d-5b57-8bf5-837be4111c3f"

Related rules

to-top