
Summary
Detects inbound messages containing mailto links whose href URL still contains unresolved template placeholders. Two patterns are flagged: 1) an '@{domain}' placeholder, treated as a strong standalone indicator of templating abuse, and 2) a '{RECIPIENT_EMAIL}' or '{SENDER_EMAIL}' placeholder (case-insensitive, allowing an underscore or space before 'EMAIL'), which only fires when the current thread’s NLU classifier detects high-confidence cred_theft or bec intents. Benign templated mail is suppressed unless the NLU signal is present. The detection relies on URL scheme mailto, regex-based placeholder matching, and cross-checking NLU intents.
Categories
- Other
Data Sources
- Web Credential
Created: 2026-06-30