From 91a97599cd823f4e8bc0574a0c194480868733cf Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Fri, 21 Nov 2025 15:57:11 -0800
Subject: [PATCH 1/2] Create body_fake_safe_sender.yml

---
 detection-rules/body_fake_safe_sender.yml | 43 +++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 detection-rules/body_fake_safe_sender.yml

diff --git a/detection-rules/body_fake_safe_sender.yml b/detection-rules/body_fake_safe_sender.yml
new file mode 100644
index 00000000000..c3a5a7f68f2
--- /dev/null
+++ b/detection-rules/body_fake_safe_sender.yml
@@ -0,0 +1,43 @@
+name: "Credential theft with 'safe content' deception and social engineering topics"
+description: "Detects messages containing credential theft language combined with social engineering topics like secure messages, notifications, or authentication alerts. The rule specifically identifies emails that deceptively claim to be from a 'safe sender' or contain 'safe content' in the first line, which is a common tactic used to bypass security filters and gain user trust."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == "cred_theft" and .confidence != "low"
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name in (
+            "Reminders and Notifications",
+            "Secure Message",
+            "Security and Authentication",
+            "Voicemail Call and Missed Call Notifications",
+            "E-Signature",
+            "Financial Communications"
+          )
+  )
+  and not any(ml.nlu_classifier(body.current_thread.text).topics,
+              .name in (
+                "Advertising and Promotions",
+                "Newsletters and Digests",
+                "News and Current Events"
+              )
+  )
+  // check only the first line of the email
+  and any(regex.iextract(body.current_thread.text, "^[^\r\n]*"),
+          strings.ilike(.full_match,
+                        "*safe content*",
+                        "*safe sender*",
+                        "*trusted sender*"
+          )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"

From 9a910270ffbe5a5813919555c2a0c7e23496980a Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 21 Nov 2025 23:59:09 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/body_fake_safe_sender.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/body_fake_safe_sender.yml b/detection-rules/body_fake_safe_sender.yml
index c3a5a7f68f2..e1648b262c1 100644
--- a/detection-rules/body_fake_safe_sender.yml
+++ b/detection-rules/body_fake_safe_sender.yml
@@ -41,3 +41,4 @@ tactics_and_techniques:
 detection_methods:
   - "Content analysis"
   - "Natural Language Understanding"
+id: "22ceee0d-1641-5f25-9034-a29b3fdade3d"