
Attachment: Romance scam with image lure and advance-fee or suspicious link indicators
Sublime Rules
View SourceSummary
Detects inbound email messages that are not replies, forwards, or mailing-list posts and contain image attachments (JPG/PNG) with body text classified by an NLU classifier as Romance or Sexually Explicit content with non-low confidence. The rule triggers when messages either include links to known redirectors or free hosting domains (e.g., geno.link, sites.google.com), or exhibit advance-fee fraud intent while routing replies to a free email provider despite originating from a corporate-looking sender domain. Observed senders include spoofed government and business addresses as well as free webmail accounts, with subject lines using romance or personal-connection lures. The detection uses ML-based topics and intents on the thread text, header and sender analyses, content and URL analysis, and file analysis of attachments. Attacker techniques include social engineering, leveraging images as content, using free email providers or free file hosts, and out-of-band pivoting. Adversary intent aligns with BEC/Fraud and Spam categories.
Categories
- Other
Data Sources
- File
- Image
Created: 2026-07-02