← Back to Explore
sublimelowRule
Subject and sender display name contains matching long alphanumeric string
Detects messages where both the subject line and sender display name contain identical alphanumeric strings that are between 32 and 64 characters, which may indicate automated generation or coordination between these fields for malicious purposes.
Detection Query
type.inbound
and any(regex.iextract(subject.subject,
'[^a-z0-9](?P<string>[a-z0-9]{32,64})(?:$|[^a-z0-9])'
),
strings.contains(sender.display_name, .named_groups["string"])
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Subject and sender display name contains matching long alphanumeric string"
description: "Detects messages where both the subject line and sender display name contain identical alphanumeric strings that are between 32 and 64 characters, which may indicate automated generation or coordination between these fields for malicious purposes."
type: "rule"
severity: "low"
source: |
type.inbound
and any(regex.iextract(subject.subject,
'[^a-z0-9](?P<string>[a-z0-9]{32,64})(?:$|[^a-z0-9])'
),
strings.contains(sender.display_name, .named_groups["string"])
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "a8a0c831-b7f7-5534-bc4a-f01ca879a619"