← Back to Explore
sublimemediumRule
Fake shipping notification with suspicious language
Body contains keywords for shipping, contains suspicious language, and addresses the recipient by their email, which is an indicator of phishing and/or spam.
Detection Query
type.inbound
// contains at least 1 link
and length(body.links) > 0
and 3 of (
strings.ilike(body.current_thread.text, "*(1)*"),
strings.ilike(body.current_thread.text, "*waiting for delivery*"),
strings.ilike(body.current_thread.text, "*delivery missed*"),
strings.ilike(body.current_thread.text, "*tracking number*")
)
// urgent/time-sensitive language
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
// email is not personalized with recipients name
and any(recipients.to,
any(ml.nlu_classifier(body.current_thread.text).entities,
.text == ..email.local_part
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Fake shipping notification with suspicious language"
description: |
Body contains keywords for shipping, contains suspicious language, and addresses the recipient by their email, which is an indicator of phishing and/or spam.
type: "rule"
severity: "medium"
source: |
type.inbound
// contains at least 1 link
and length(body.links) > 0
and 3 of (
strings.ilike(body.current_thread.text, "*(1)*"),
strings.ilike(body.current_thread.text, "*waiting for delivery*"),
strings.ilike(body.current_thread.text, "*delivery missed*"),
strings.ilike(body.current_thread.text, "*tracking number*")
)
// urgent/time-sensitive language
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
// email is not personalized with recipients name
and any(recipients.to,
any(ml.nlu_classifier(body.current_thread.text).entities,
.text == ..email.local_part
)
)
attack_types:
- "Credential Phishing"
- "Spam"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
id: "67748b0a-ac4c-525c-8393-7ed7b1b51f29"