← Back to Explore
sublimemediumRule
Service abuse: Nylas tracking subdomain with suspicious content
Detects messages containing links to Nylas tracking subdomains with display text and suspicious language patterns, indicating potential abuse of the email tracking service.
Detection Query
type.inbound
and any(filter(body.current_thread.links, .href_url.domain.sld == "nylas"),
.display_text is not null
and strings.icontains(.href_url.domain.subdomain, 'tracking')
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Service abuse: Nylas tracking subdomain with suspicious content"
description: "Detects messages containing links to Nylas tracking subdomains with display text and suspicious language patterns, indicating potential abuse of the email tracking service."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(body.current_thread.links, .href_url.domain.sld == "nylas"),
.display_text is not null
and strings.icontains(.href_url.domain.subdomain, 'tracking')
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "URL analysis"
id: "a3a6c896-1d1e-5a7c-ad72-6adda57a329f"