heroui logo

Link: Unformatted template with literal placeholder in mailto link

Sublime Rules

View Source
Summary
Detects inbound messages containing mailto links whose href URL still contains unresolved template placeholders. Two patterns are flagged: 1) an '@{domain}' placeholder, treated as a strong standalone indicator of templating abuse, and 2) a '{RECIPIENT_EMAIL}' or '{SENDER_EMAIL}' placeholder (case-insensitive, allowing an underscore or space before 'EMAIL'), which only fires when the current thread’s NLU classifier detects high-confidence cred_theft or bec intents. Benign templated mail is suppressed unless the NLU signal is present. The detection relies on URL scheme mailto, regex-based placeholder matching, and cross-checking NLU intents.
Categories
  • Other
Data Sources
  • Web Credential
Created: 2026-06-30