detection.wiki

Detection rules › Sublime MQL

Credential phishing: Suspicious subject with urgent financial request and link

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers (collection)
headers.auth_summary
sender.email
subject
type

Rule body MQL

type.inbound
and (
  0 < length(filter(body.links,
                    not strings.ilike(.display_text,
                                      "*privacy*",
                                      "*terms of service*",
                                      "Learn why this is important"
                    )
                    or .display_text is null
             )
  ) < 5
)

// negate webinar registrations
and not any(body.links,
            .display_text =~ "REGISTER NOW"
            and .href_url.domain.root_domain == "secureclick.net"
)

// not all links are unsubscribe links
and not all(body.links,
            (
              strings.icontains(.display_text, "unsubscribe")
              and strings.icontains(.href_url.path, "unsubscribe")
            )
            or (
              strings.icontains(.display_text, "deactivate")
              and strings.icontains(.href_url.path, "DeactivateAccount")
            )
)

// ignore emails in body
and not all(body.links, .href_url.domain.domain in $free_email_providers)
and length(body.current_thread.text) < 2000
and length(subject.subject) < 100

// and suspicious subject
and regex.icontains(subject.subject,
                    // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects_regex.txt
                    "termination.*notice",
                    "38417",
                    ":completed",
                    "[il1]{2}mit.*ma[il1]{2} ?bo?x",
                    "[il][il][il]egai[ -]",
                    "[li][li][li]ega[li] attempt",
                    "[ng]-?[io]n .*block",
                    "[ng]-?[io]n .*cancel",
                    "[ng]-?[io]n .*deactiv",
                    "[ng]-?[io]n .*disabl",
                    "action.*required",
                    "abandon.*package",
                    "about.your.account",
                    "acc(ou)?n?t (is )?on ho[li]d",
                    "acc(ou)?n?t.*terminat",
                    "acc(oun)?t.*[il1]{2}mitation",
                    "access.*limitation",
                    "account (will be )?block",
                    "account.*de-?activat",
                    "account.*locked",
                    "account.*re-verification",
                    "account.*security",
                    "account.*suspension",
                    "account.has.been",
                    "account.has.expired",
                    "account.will.be.blocked",
                    "account v[il]o[li]at",
                    "activity.*acc(oun)?t",
                    "almost.full",
                    "app[li]e.[il]d",
                    "authenticate.*account",
                    "been.*suspend",
                    "clos.*of.*account.*processed",
                    "confirm.your.account",
                    "courier.*able",
                    "crediential.*notif",
                    "deactivation.*in.*progress",
                    "delivery.*attempt.*failed",
                    "document.(?:submitted|received)",
                    "documented.*shared.*with.*you",
                    "dropbox.*document",
                    "e-?ma[il1]+ .{010}suspen",
                    "e-?ma[il1]{1} user",
                    "e-?ma[il1]{2} acc",
                    "e-?ma[il1]{2}.*up.?grade",
                    "e.?ma[il1]{2}.*server",
                    "e.?ma[il1]{2}.*suspend",
                    "email.update",
                    "faxed you",
                    "^final reminder: .*(?:overdue|resolve|access ends)",
                    "fraud(ulent)?.*charge",
                    "from.helpdesk",
                    "fu[il1]{2}.*ma[il1]+[ -]?box",
                    "has.been.*suspended",
                    "has.been.limited",
                    "have.locked",
                    "he[li]p ?desk upgrade",
                    "heipdesk",
                    "i[il]iega[il]",
                    "ii[il]ega[il]",
                    "incoming e?mail",
                    "incoming.*fax",
                    "lock.*security",
                    "ma[il1]{1}[ -]?box.*quo",
                    "ma[il1]{2}[ -]?box.*fu[il1]",
                    "ma[il1]{2}box.*[il1]{2}mit",
                    "ma[il1]{2}box stor",
                    "mail on.?hold",
                    "mail.*box.*migration",
                    "mail.*de-?activat",
                    "mail.update.required",
                    "mails.*pending",
                    "messages.*pending",
                    "missed.*shipping.*notification",
                    "missed.shipment.notification",
                    "must.update.your.account",
                    "new [sl][io]g?[nig][ -]?in from",
                    "new voice ?-?mail",
                    "notifications.*pending",
                    "office.*3.*6.*5.*suspend",
                    "office365",
                    "on google docs with you",
                    "online doc",
                    "password.*compromised",
                    "periodic maintenance",
                    "potential(ly)? unauthorized",
                    "refund not approved",
                    "revised.*policy",
                    "scam",
                    "scanned.?invoice",
                    "secured?.update",
                    "security breach",
                    "securlty",
                    "signed.*delivery",
                    "status of your .{314}? ?delivery",
                    "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
                    "suspicious.*sign.*[io]n",
                    "suspicious.activit",
                    "temporar(il)?y deactivate",
                    "temporar[il1]{2}y disab[li]ed",
                    "temporarily.*lock",
                    "un-?usua[li].activity",
                    "unable.*deliver",
                    "unauthorized.*activit",
                    "unauthorized.device",
                    "unauthorized.sign.?in",
                    "unrecognized.*activit",
                    "unrecognized.sign.?in",
                    "unrecognized.*activit",
                    "undelivered message",
                    "unread.*doc",
                    "unusual.activity",
                    "upgrade.*account",
                    "upgrade.notice",
                    "urgent message",
                    "urgent.verification",
                    "v[il1]o[li1]at[il1]on security",
                    "va[il1]{1}date.*ma[il1]{2}[ -]?box",
                    "verification ?-?require",
                    "verification( )?-?need",
                    "verify.your?.account",
                    "web ?-?ma[il1]{2}",
                    "web[ -]?ma[il1]{2}",
                    "will.be.suspended",
                    "your (customer )?account .as",
                    "your.office.365",
                    "your.online.access",

                    // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
                    "account has been limited",
                    "action required",
                    "almost full",
                    "apd notifi cation",
                    "are you at your desk",
                    "are you available",
                    "attached file to docusign",
                    "banking is temporarily unavailable",
                    "bankofamerica",
                    "closing statement invoice",
                    "completed: docusign",
                    "de-activation of",
                    "delivery attempt",
                    "delivery stopped for shipment",
                    "detected suspicious",
                    "detected suspicious actvity",
                    "docu sign",
                    "document for you",
                    "document has been sent to you via docusign",
                    "document is ready for signature",
                    "docusign",
                    "encrypted message",
                    "failed delivery",
                    "fedex tracking",
                    "file was shared",
                    "freefax",
                    "fwd: due invoice paid",
                    "has shared",
                    "inbox is full",
                    "invitation to comment",
                    "invitation to edit",
                    "invoice due",
                    "left you a message",
                    "message from",
                    "new message",
                    "new voicemail",
                    "on desk",
                    "out of space",
                    "password reset",
                    "payment status",
                    "quick reply",
                    "re: w-2",
                    "required",
                    "required: completed docusign",
                    "ringcentral",
                    "scanned image",
                    "secured files",
                    "secured pdf",
                    "security alert",
                    "new sign-in",
                    "new sign in",
                    "sign-in attempt",
                    "sign in attempt",
                    "staff review",
                    "suspicious activity",
                    "unrecognized login attempt",
                    "upgrade immediately",
                    "urgent",
                    "wants to share",
                    '\bw2\b',
                    "you have notifications pending",
                    "your account",
                    "your amazon order",
                    "your document settlement",
                    "your order with amazon",
                    "your password has been compromised",

                    // cryptocurrency related subjects
                    '\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview',
)

// language attempting to engage
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)

// financial request
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
)

// urgency request
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "urgency"
)

// org presence
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")

// not a reply
and (
  not strings.istarts_with(subject.subject, "re:")
  and headers.in_reply_to is null
)

// the message is unsolicited and no false positives
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and profile.by_sender().any_messages_benign
    and (
      not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass
    )
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

// negation the only link is the senders email
and not (
  regex.contains(body.current_thread.text,
                 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
  )
  and (
    all(body.links, .href_url.domain.root_domain == sender.email.domain.domain)
  )
)

Detection logic

Scope: inbound message.

This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.

  1. inbound message
  2. all of:
    • length(filter(body.links, not strings.ilike(.display_text, '*privacy*', '*terms of service*', 'Learn why this is important') or .display_text is null)) > 0
    • length(filter(body.links, not strings.ilike(.display_text, '*privacy*', '*terms of service*', 'Learn why this is important') or .display_text is null)) < 5
  3. not:
    • any of body.links where all hold:
      • .display_text is 'REGISTER NOW'
      • .href_url.domain.root_domain is 'secureclick.net'
  4. not:
    • all of body.links where any holds:
      • all of:
        • .display_text contains 'unsubscribe'
        • .href_url.path contains 'unsubscribe'
      • all of:
        • .display_text contains 'deactivate'
        • .href_url.path contains 'DeactivateAccount'
  5. not:
    • all of body.links where:
      • .href_url.domain.domain in $free_email_providers
  6. length(body.current_thread.text) < 2000
  7. length(subject.subject) < 100
  8. subject.subject matches any of 194 patterns
    • termination.*notice
    • 38417
    • :completed
    • [il1]{2}mit.*ma[il1]{2} ?bo?x
    • [il][il][il]egai[ -]
    • [li][li][li]ega[li] attempt
    • [ng]-?[io]n .*block
    • [ng]-?[io]n .*cancel
    • [ng]-?[io]n .*deactiv
    • [ng]-?[io]n .*disabl
    • action.*required
    • abandon.*package
    • about.your.account
    • acc(ou)?n?t (is )?on ho[li]d
    • acc(ou)?n?t.*terminat
    • acc(oun)?t.*[il1]{2}mitation
    • access.*limitation
    • account (will be )?block
    • account.*de-?activat
    • account.*locked
    • account.*re-verification
    • account.*security
    • account.*suspension
    • account.has.been
    • account.has.expired
    • account.will.be.blocked
    • account v[il]o[li]at
    • activity.*acc(oun)?t
    • almost.full
    • app[li]e.[il]d
    • authenticate.*account
    • been.*suspend
    • clos.*of.*account.*processed
    • confirm.your.account
    • courier.*able
    • crediential.*notif
    • deactivation.*in.*progress
    • delivery.*attempt.*failed
    • document.(?:submitted|received)
    • documented.*shared.*with.*you
    • dropbox.*document
    • e-?ma[il1]+ .{010}suspen
    • e-?ma[il1]{1} user
    • e-?ma[il1]{2} acc
    • e-?ma[il1]{2}.*up.?grade
    • e.?ma[il1]{2}.*server
    • e.?ma[il1]{2}.*suspend
    • email.update
    • faxed you
    • ^final reminder: .*(?:overdue|resolve|access ends)
    • fraud(ulent)?.*charge
    • from.helpdesk
    • fu[il1]{2}.*ma[il1]+[ -]?box
    • has.been.*suspended
    • has.been.limited
    • have.locked
    • he[li]p ?desk upgrade
    • heipdesk
    • i[il]iega[il]
    • ii[il]ega[il]
    • incoming e?mail
    • incoming.*fax
    • lock.*security
    • ma[il1]{1}[ -]?box.*quo
    • ma[il1]{2}[ -]?box.*fu[il1]
    • ma[il1]{2}box.*[il1]{2}mit
    • ma[il1]{2}box stor
    • mail on.?hold
    • mail.*box.*migration
    • mail.*de-?activat
    • mail.update.required
    • mails.*pending
    • messages.*pending
    • missed.*shipping.*notification
    • missed.shipment.notification
    • must.update.your.account
    • new [sl][io]g?[nig][ -]?in from
    • new voice ?-?mail
    • notifications.*pending
    • office.*3.*6.*5.*suspend
    • office365
    • on google docs with you
    • online doc
    • password.*compromised
    • periodic maintenance
    • potential(ly)? unauthorized
    • refund not approved
    • revised.*policy
    • scam
    • scanned.?invoice
    • secured?.update
    • security breach
    • securlty
    • signed.*delivery
    • status of your .{314}? ?delivery
    • susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
    • suspicious.*sign.*[io]n
    • suspicious.activit
    • temporar(il)?y deactivate
    • temporar[il1]{2}y disab[li]ed
    • temporarily.*lock
    • un-?usua[li].activity
    • unable.*deliver
    • unauthorized.*activit
    • unauthorized.device
    • unauthorized.sign.?in
    • unrecognized.*activit
    • unrecognized.sign.?in
    • unrecognized.*activit
    • undelivered message
    • unread.*doc
    • unusual.activity
    • upgrade.*account
    • upgrade.notice
    • urgent message
    • urgent.verification
    • v[il1]o[li1]at[il1]on security
    • va[il1]{1}date.*ma[il1]{2}[ -]?box
    • verification ?-?require
    • verification( )?-?need
    • verify.your?.account
    • web ?-?ma[il1]{2}
    • web[ -]?ma[il1]{2}
    • will.be.suspended
    • your (customer )?account .as
    • your.office.365
    • your.online.access
    • account has been limited
    • action required
    • almost full
    • apd notifi cation
    • are you at your desk
    • are you available
    • attached file to docusign
    • banking is temporarily unavailable
    • bankofamerica
    • closing statement invoice
    • completed: docusign
    • de-activation of
    • delivery attempt
    • delivery stopped for shipment
    • detected suspicious
    • detected suspicious actvity
    • docu sign
    • document for you
    • document has been sent to you via docusign
    • document is ready for signature
    • docusign
    • encrypted message
    • failed delivery
    • fedex tracking
    • file was shared
    • freefax
    • fwd: due invoice paid
    • has shared
    • inbox is full
    • invitation to comment
    • invitation to edit
    • invoice due
    • left you a message
    • message from
    • new message
    • new voicemail
    • on desk
    • out of space
    • password reset
    • payment status
    • quick reply
    • re: w-2
    • required
    • required: completed docusign
    • ringcentral
    • scanned image
    • secured files
    • secured pdf
    • security alert
    • new sign-in
    • new sign in
    • sign-in attempt
    • sign in attempt
    • staff review
    • suspicious activity
    • unrecognized login attempt
    • upgrade immediately
    • urgent
    • wants to share
    • \bw2\b
    • you have notifications pending
    • your account
    • your amazon order
    • your document settlement
    • your order with amazon
    • your password has been compromised
    • \d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview
  9. any of ml.nlu_classifier(body.current_thread.text).entities where:
    • .name is 'request'
  10. any of ml.nlu_classifier(body.current_thread.text).entities where:
    • .name is 'financial'
  11. any of ml.nlu_classifier(body.current_thread.text).entities where:
    • .name is 'urgency'
  12. any of ml.nlu_classifier(body.current_thread.text).entities where:
    • .name is 'org'
  13. all of:
    • not:
      • subject.subject starts with 're:'
    • headers.in_reply_to is missing
  14. any of:
    • not:
      • profile.by_sender_email().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • profile.by_sender().any_messages_benign
      • any of:
        • not:
          • headers.auth_summary.dmarc.pass
        • not:
          • headers.auth_summary.spf.pass
  15. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  16. not:
    • all of:
      • body.current_thread.text matches '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\\\.[A-Za-z]{2,}'
      • all of body.links where:
        • .href_url.domain.root_domain is sender.email.domain.domain

Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.path, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.in_reply_to, sender.email.domain.domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, profile.by_sender_email, regex.contains, regex.icontains, strings.icontains, strings.ilike, strings.istarts_with. Reference lists: $free_email_providers, $high_trust_sender_root_domains.

Indicators matched (207)

FieldMatchValue
strings.ilikesubstring*privacy*
strings.ilikesubstring*terms of service*
strings.ilikesubstringLearn why this is important
body.links[].display_textequalsREGISTER NOW
body.links[].href_url.domain.root_domainequalssecureclick.net
strings.icontainssubstringunsubscribe
strings.icontainssubstringdeactivate
strings.icontainssubstringDeactivateAccount
regex.icontainsregextermination.*notice
regex.icontainsregex38417
regex.icontainsregex:completed
regex.icontainsregex[il1]{2}mit.*ma[il1]{2} ?bo?x
195 more
regex.icontainsregex[il][il][il]egai[ -]
regex.icontainsregex[li][li][li]ega[li] attempt
regex.icontainsregex[ng]-?[io]n .*block
regex.icontainsregex[ng]-?[io]n .*cancel
regex.icontainsregex[ng]-?[io]n .*deactiv
regex.icontainsregex[ng]-?[io]n .*disabl
regex.icontainsregexaction.*required
regex.icontainsregexabandon.*package
regex.icontainsregexabout.your.account
regex.icontainsregexacc(ou)?n?t (is )?on ho[li]d
regex.icontainsregexacc(ou)?n?t.*terminat
regex.icontainsregexacc(oun)?t.*[il1]{2}mitation
regex.icontainsregexaccess.*limitation
regex.icontainsregexaccount (will be )?block
regex.icontainsregexaccount.*de-?activat
regex.icontainsregexaccount.*locked
regex.icontainsregexaccount.*re-verification
regex.icontainsregexaccount.*security
regex.icontainsregexaccount.*suspension
regex.icontainsregexaccount.has.been
regex.icontainsregexaccount.has.expired
regex.icontainsregexaccount.will.be.blocked
regex.icontainsregexaccount v[il]o[li]at
regex.icontainsregexactivity.*acc(oun)?t
regex.icontainsregexalmost.full
regex.icontainsregexapp[li]e.[il]d
regex.icontainsregexauthenticate.*account
regex.icontainsregexbeen.*suspend
regex.icontainsregexclos.*of.*account.*processed
regex.icontainsregexconfirm.your.account
regex.icontainsregexcourier.*able
regex.icontainsregexcrediential.*notif
regex.icontainsregexdeactivation.*in.*progress
regex.icontainsregexdelivery.*attempt.*failed
regex.icontainsregexdocument.(?:submitted|received)
regex.icontainsregexdocumented.*shared.*with.*you
regex.icontainsregexdropbox.*document
regex.icontainsregexe-?ma[il1]+ .{010}suspen
regex.icontainsregexe-?ma[il1]{1} user
regex.icontainsregexe-?ma[il1]{2} acc
regex.icontainsregexe-?ma[il1]{2}.*up.?grade
regex.icontainsregexe.?ma[il1]{2}.*server
regex.icontainsregexe.?ma[il1]{2}.*suspend
regex.icontainsregexemail.update
regex.icontainsregexfaxed you
regex.icontainsregex^final reminder: .*(?:overdue|resolve|access ends)
regex.icontainsregexfraud(ulent)?.*charge
regex.icontainsregexfrom.helpdesk
regex.icontainsregexfu[il1]{2}.*ma[il1]+[ -]?box
regex.icontainsregexhas.been.*suspended
regex.icontainsregexhas.been.limited
regex.icontainsregexhave.locked
regex.icontainsregexhe[li]p ?desk upgrade
regex.icontainsregexheipdesk
regex.icontainsregexi[il]iega[il]
regex.icontainsregexii[il]ega[il]
regex.icontainsregexincoming e?mail
regex.icontainsregexincoming.*fax
regex.icontainsregexlock.*security
regex.icontainsregexma[il1]{1}[ -]?box.*quo
regex.icontainsregexma[il1]{2}[ -]?box.*fu[il1]
regex.icontainsregexma[il1]{2}box.*[il1]{2}mit
regex.icontainsregexma[il1]{2}box stor
regex.icontainsregexmail on.?hold
regex.icontainsregexmail.*box.*migration
regex.icontainsregexmail.*de-?activat
regex.icontainsregexmail.update.required
regex.icontainsregexmails.*pending
regex.icontainsregexmessages.*pending
regex.icontainsregexmissed.*shipping.*notification
regex.icontainsregexmissed.shipment.notification
regex.icontainsregexmust.update.your.account
regex.icontainsregexnew [sl][io]g?[nig][ -]?in from
regex.icontainsregexnew voice ?-?mail
regex.icontainsregexnotifications.*pending
regex.icontainsregexoffice.*3.*6.*5.*suspend
regex.icontainsregexoffice365
regex.icontainsregexon google docs with you
regex.icontainsregexonline doc
regex.icontainsregexpassword.*compromised
regex.icontainsregexperiodic maintenance
regex.icontainsregexpotential(ly)? unauthorized
regex.icontainsregexrefund not approved
regex.icontainsregexrevised.*policy
regex.icontainsregexscam
regex.icontainsregexscanned.?invoice
regex.icontainsregexsecured?.update
regex.icontainsregexsecurity breach
regex.icontainsregexsecurlty
regex.icontainsregexsigned.*delivery
regex.icontainsregexstatus of your .{314}? ?delivery
regex.icontainsregexsusp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
regex.icontainsregexsuspicious.*sign.*[io]n
regex.icontainsregexsuspicious.activit
regex.icontainsregextemporar(il)?y deactivate
regex.icontainsregextemporar[il1]{2}y disab[li]ed
regex.icontainsregextemporarily.*lock
regex.icontainsregexun-?usua[li].activity
regex.icontainsregexunable.*deliver
regex.icontainsregexunauthorized.*activit
regex.icontainsregexunauthorized.device
regex.icontainsregexunauthorized.sign.?in
regex.icontainsregexunrecognized.*activit
regex.icontainsregexunrecognized.sign.?in
regex.icontainsregexundelivered message
regex.icontainsregexunread.*doc
regex.icontainsregexunusual.activity
regex.icontainsregexupgrade.*account
regex.icontainsregexupgrade.notice
regex.icontainsregexurgent message
regex.icontainsregexurgent.verification
regex.icontainsregexv[il1]o[li1]at[il1]on security
regex.icontainsregexva[il1]{1}date.*ma[il1]{2}[ -]?box
regex.icontainsregexverification ?-?require
regex.icontainsregexverification( )?-?need
regex.icontainsregexverify.your?.account
regex.icontainsregexweb ?-?ma[il1]{2}
regex.icontainsregexweb[ -]?ma[il1]{2}
regex.icontainsregexwill.be.suspended
regex.icontainsregexyour (customer )?account .as
regex.icontainsregexyour.office.365
regex.icontainsregexyour.online.access
regex.icontainsregexaccount has been limited
regex.icontainsregexaction required
regex.icontainsregexalmost full
regex.icontainsregexapd notifi cation
regex.icontainsregexare you at your desk
regex.icontainsregexare you available
regex.icontainsregexattached file to docusign
regex.icontainsregexbanking is temporarily unavailable
regex.icontainsregexbankofamerica
regex.icontainsregexclosing statement invoice
regex.icontainsregexcompleted: docusign
regex.icontainsregexde-activation of
regex.icontainsregexdelivery attempt
regex.icontainsregexdelivery stopped for shipment
regex.icontainsregexdetected suspicious
regex.icontainsregexdetected suspicious actvity
regex.icontainsregexdocu sign
regex.icontainsregexdocument for you
regex.icontainsregexdocument has been sent to you via docusign
regex.icontainsregexdocument is ready for signature
regex.icontainsregexdocusign
regex.icontainsregexencrypted message
regex.icontainsregexfailed delivery
regex.icontainsregexfedex tracking
regex.icontainsregexfile was shared
regex.icontainsregexfreefax
regex.icontainsregexfwd: due invoice paid
regex.icontainsregexhas shared
regex.icontainsregexinbox is full
regex.icontainsregexinvitation to comment
regex.icontainsregexinvitation to edit
regex.icontainsregexinvoice due
regex.icontainsregexleft you a message
regex.icontainsregexmessage from
regex.icontainsregexnew message
regex.icontainsregexnew voicemail
regex.icontainsregexon desk
regex.icontainsregexout of space
regex.icontainsregexpassword reset
regex.icontainsregexpayment status
regex.icontainsregexquick reply
regex.icontainsregexre: w-2
regex.icontainsregexrequired
regex.icontainsregexrequired: completed docusign
regex.icontainsregexringcentral
regex.icontainsregexscanned image
regex.icontainsregexsecured files
regex.icontainsregexsecured pdf
regex.icontainsregexsecurity alert
regex.icontainsregexnew sign-in
regex.icontainsregexnew sign in
regex.icontainsregexsign-in attempt
regex.icontainsregexsign in attempt
regex.icontainsregexstaff review
regex.icontainsregexsuspicious activity
regex.icontainsregexunrecognized login attempt
regex.icontainsregexupgrade immediately
regex.icontainsregexurgent
regex.icontainsregexwants to share
regex.icontainsregex\bw2\b
regex.icontainsregexyou have notifications pending
regex.icontainsregexyour account
regex.icontainsregexyour amazon order
regex.icontainsregexyour document settlement
regex.icontainsregexyour order with amazon
regex.icontainsregexyour password has been compromised
regex.icontainsregex\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsrequest
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsfinancial
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsurgency
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsorg
strings.istarts_withprefixre:
regex.containsregex[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}