Detection rules › Sublime MQL
Service Abuse: ExactTarget with suspicious sender indicators
Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, BEC/Fraud |
| Tactics and techniques | Evasion, Social engineering |
Event coverage
Rule body MQL
type.inbound
and any(headers.domains, .root_domain == 'exacttarget.com')
and (
(
length(sender.email.email) >= 50
and sender.email.domain.root_domain == "salesforce.com"
)
or sender.email.domain.root_domain == "awsapps.com"
or strings.icontains(sender.email.domain.domain, '?utf-8')
or regex.icontains(sender.display_name,
'.*\|.*(Manager|Careers|Recruitment|Specialist|Global)'
)
)
Detection logic
Scope: inbound message.
Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.
- inbound message
any of
headers.domainswhere:- .root_domain is 'exacttarget.com'
any of:
all of:
- length(sender.email.email) ≥ 50
- sender.email.domain.root_domain is 'salesforce.com'
- sender.email.domain.root_domain is 'awsapps.com'
- sender.email.domain.domain contains '?utf-8'
- sender.display_name matches '.*\\|.*(Manager|Careers|Recruitment|Specialist|Global)'
Inspects: headers.domains, headers.domains[].root_domain, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: regex.icontains, strings.icontains.
Indicators matched (5)
| Field | Match | Value |
|---|---|---|
headers.domains[].root_domain | equals | exacttarget.com |
sender.email.domain.root_domain | equals | salesforce.com |
sender.email.domain.root_domain | equals | awsapps.com |
strings.icontains | substring | ?utf-8 |
regex.icontains | regex | .*\|.*(Manager|Careers|Recruitment|Specialist|Global) |