← Back to Explore
sublimehighRule
Subject: Suspicious bracketed reference
Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems.
Detection Query
type.inbound
and strings.contains(subject.base, '[')
and strings.ends_with(subject.base, ']')
and any(regex.extract(subject.base,
'\[(?P<first>.)(?P<second>.)\-(?P<second_part>[^\-]+)\-(?P<third_section>[^\]]+)\]$'
),
.named_groups["first"] == .named_groups["second"]
and regex.match(.named_groups["second_part"], '^\d+$')
and regex.contains(.named_groups["third_section"], '\d+$')
and strings.istarts_with(.named_groups["third_section"],
.named_groups["first"]
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Subject: Suspicious bracketed reference"
description: "Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems."
type: "rule"
severity: "high"
source: |
type.inbound
and strings.contains(subject.base, '[')
and strings.ends_with(subject.base, ']')
and any(regex.extract(subject.base,
'\[(?P<first>.)(?P<second>.)\-(?P<second_part>[^\-]+)\-(?P<third_section>[^\]]+)\]$'
),
.named_groups["first"] == .named_groups["second"]
and regex.match(.named_groups["second_part"], '^\d+$')
and regex.contains(.named_groups["third_section"], '\d+$')
and strings.istarts_with(.named_groups["third_section"],
.named_groups["first"]
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Impersonation: Brand"
detection_methods:
- "Header analysis"
- "Content analysis"
id: "663dbce4-0403-5baf-bf30-45c38a09f9c7"