← Back to Explore
sublimehighRule
Link: Self-sender with sender org in subject and credential theft indicator
Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves.
Detection Query
type.inbound
// self sender behavior
and length(recipients.to) == 1
and length(recipients.cc) == 0
and sender.email.email == recipients.to[0].email.email
// not self sender from the org_domain, this rule is not going to detect spoofed domains to limit FPs caused by various email auth issues.
and not sender.email.domain.domain in $org_domains
and profile.by_sender_email().prevalence == "new"
// org name in the subject, removing the subject from NLU to prevent the org being extracted from the subject
and any(filter(ml.nlu_classifier(body.current_thread.text, subject="").entities,
.name == "org"
and .text != sender.email.domain.sld
and .text != sender.email.domain.domain
),
// not an icontains, make it an exact match
strings.contains(subject.base, .text)
)
// must contain a link
and 0 < length(body.current_thread.links) < 20
// cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// all attachments are inline images or there are 0 attachments
and (
length(attachments) == 0
// there are only image attachments and all image attachments are served inline
or (
length(attachments) > 0
and (
all(attachments,
.file_type in $file_types_images
// all images are embedded in the html
and strings.icontains(body.html.raw,
strings.concat('src="cid:', .content_id)
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Self-sender with sender org in subject and credential theft indicator"
description: "Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves."
type: "rule"
severity: "high"
source: |
type.inbound
// self sender behavior
and length(recipients.to) == 1
and length(recipients.cc) == 0
and sender.email.email == recipients.to[0].email.email
// not self sender from the org_domain, this rule is not going to detect spoofed domains to limit FPs caused by various email auth issues.
and not sender.email.domain.domain in $org_domains
and profile.by_sender_email().prevalence == "new"
// org name in the subject, removing the subject from NLU to prevent the org being extracted from the subject
and any(filter(ml.nlu_classifier(body.current_thread.text, subject="").entities,
.name == "org"
and .text != sender.email.domain.sld
and .text != sender.email.domain.domain
),
// not an icontains, make it an exact match
strings.contains(subject.base, .text)
)
// must contain a link
and 0 < length(body.current_thread.links) < 20
// cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// all attachments are inline images or there are 0 attachments
and (
length(attachments) == 0
// there are only image attachments and all image attachments are served inline
or (
length(attachments) > 0
and (
all(attachments,
.file_type in $file_types_images
// all images are embedded in the html
and strings.icontains(body.html.raw,
strings.concat('src="cid:', .content_id)
)
)
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
detection_methods:
- "Natural Language Understanding"
- "Content analysis"
- "Sender analysis"
- "URL analysis"
- "Header analysis"
id: "bfa9aa08-ed3b-5e4a-a83c-192efd126530"