Suspicious subject with long procedurally generated text blob

calendar Mar 12, 2025 · Attack surface reduction  ·
Share on: linkedin copy

This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

Sublime rule (View on GitHub)

 1name: "Suspicious subject with long procedurally generated text blob"
 2description: "This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // "#" symbol, and then letters, numbers or more symbols (-#)
 8  and regex.imatch(subject.subject, ".*#[a-z0-9-#]+$")
 9  // not JUST letters
10  and not regex.imatch(subject.subject, ".*#[a-z-]+$")
11  // not JUST numbers
12  and not regex.imatch(subject.subject, ".*#[0-9-]+$")
13  
14  and not any(beta.ml_topic(body.current_thread.text).topics,
15              .name in (
16                "Professional and Career Development",
17                "Reminders and Notifications"
18              )
19              and .confidence == "high"
20  )
21  
22  // and 1 other suspicious element
23  and 2 of (
24    any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)),
25    (
26      regex.imatch(sender.display_name, ".*#[a-z0-9-#]+$")
27      and not regex.imatch(subject.subject, ".*#[a-z-]+$")
28      and not regex.imatch(subject.subject, ".*#[0-9-]+$")
29    ),
30    any(ml.nlu_classifier(subject.subject).intents,
31        .name == "cred_theft" and .confidence == "high"
32    ),
33    body.current_thread.text is null
34  )
35  
36  // standard negations
37  and not profile.by_sender_email().any_false_positives
38  and not profile.by_sender_email().solicited
39  and (
40    (
41      sender.email.domain.root_domain in $high_trust_sender_root_domains
42      and not headers.auth_summary.dmarc.pass
43    )
44    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45  )  
46tags:
47 - "Attack surface reduction"
48attack_types:
49  - "Credential Phishing"
50  - "Spam"
51tactics_and_techniques:
52  - "Evasion"
53detection_methods:
54  - "Content analysis"
55  - "Sender analysis"
56id: "e819593d-b60d-5b57-8bf5-837be4111c3f"

Related rules

to-top