heroui logo

Link: Generic financial document with proceedural timeline template

Sublime Rules

View Source
Summary
Detects inbound messages that reference invoices, payment releases, and procedural timelines and contain links intended to direct recipients to financial documents. The rule enforces a modest link count (<=40) and requires time-based cues such as a release date (will be released on a specific Monday/Tuesday... with a month and day) or a short day-count phrase. It flags messages whose link text or metadata suggests viewing or accessing a payment/statement/document, or where a Natural Language Understanding (NLU) topic indicates a high-confidence "Request to View Invoice". The rule widens its net with host/domain heuristics: suspicious links hosted on known free file hosts, unusual TLDs, self-service creation platforms, or domains not found in standard top-level trust lists; it also flags potential open redirects via query parameters. A bait-and-switch CTA pattern (e.g., a message clipping notice plus a prompt to view the entire message) is considered suspicious. It excludes known legitimate org domains and requires the URL domain to be valid. Sender behavior is evaluated: either a single recipient equal to the sender, or no/invalid recipients present. The rule targets BEC and credential phishing via invoice-related lure documents and uses a combination of content analysis, NLU topic matching, header analysis, and sender analysis to detect exploit attempts while reducing false positives from legitimate communications.
Categories
  • Web
  • Endpoint
Data Sources
  • Network Traffic
  • Web Credential
  • Process
  • File
Created: 2026-07-11