Detection rules › Sublime MQL
Service abuse: Formester with suspicious link behavior
Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, BEC/Fraud |
| Tactics and techniques | Open redirect, Social engineering, Free file host |
Event coverage
| Message attribute |
|---|
| body |
| body.current_thread |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
// LA invokes page first before scanning additional links.
and (
any(filter(body.links, .href_url.domain.root_domain == 'formester.com'),
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
)
// any links in the final dom lead to a suspicious tld.
or any(ml.link_analysis(.).final_dom.links,
.href_url.domain.tld in $suspicious_tlds
or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
)
// link redirects to a suspicious TLD.
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
// suspicious landing verbiage. Keywords can be expanded.
or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"secure message"
)
// suspicious link verbiage.
or regex.icontains(.display_text,
"(view|show|download).{0,20}(Doc(ument)?(s)?|files(s)?|attached)"
)
)
// suspicious keywords/phrasing in body.
or (
any(body.links, .href_url.domain.root_domain == 'formester.com')
and strings.icontains(body.current_thread.text,
"use of Microsoft 365 and may contain content"
)
)
)
Detection logic
Scope: inbound message.
Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.
- inbound message
any of:
any of
filter(body.links)where any holds:- ml.link_analysis(.).credphish.disposition is 'phishing'
any of
ml.link_analysis(.).final_dom.linkswhere any holds:- .href_url.domain.tld in $suspicious_tlds
- ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
any of
ml.link_analysis(., mode='aggressive').redirect_historywhere:- .domain.tld in $suspicious_tlds
- ml.link_analysis(., mode='aggressive').final_dom.display_text contains 'secure message'
- .display_text matches '(view|show|download).{0,20}(Doc(ument)?(s)?|files(s)?|attached)'
all of:
any of
body.linkswhere:- .href_url.domain.root_domain is 'formester.com'
- body.current_thread.text contains 'use of Microsoft 365 and may contain content'
Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, type.inbound. Sensors: ml.link_analysis, regex.icontains, strings.icontains. Reference lists: $suspicious_tlds.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.root_domain | equals | formester.com |
strings.icontains | substring | secure message |
regex.icontains | regex | (view|show|download).{0,20}(Doc(ument)?(s)?|files(s)?|attached) |
strings.icontains | substring | use of Microsoft 365 and may contain content |