Service abuse: Microsoft with suspicious indicators in subject

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects messages impersonating Microsoft account verification that contain suspicious indicators in the subject line, including phone numbers, monetary amounts, suspicious domains, explicit content, or lengthy action-oriented phrases.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing, Spam
Tactics and techniques	Impersonation: Brand, Social engineering

Event coverage

Message attribute
sender.email
subject
type

Rule body MQL

type.inbound
//
//  Warning: This rule contains sexually explicit keywords
//
and sender.email.domain.root_domain == "microsoftonline.com"
and strings.icontains(subject.subject, 'account email verification code')
and (
  // phone number regex
  regex.icontains(strings.replace_confusables(subject.base),
                  '\+?(?:[ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                  '\+?(?:[ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
  )
  // dollar amounts
  or regex.icontains(subject.base, '(?:USD|\$)\s?\d')
  or regex.icontains(subject.base, '\d+\.\d{2}\s?(?:USD|usd)')
  // suspicious TLDs
  or regex.icontains(subject.base,
                     '\.(?:ac\.th|biz\.id|co\.(?:cl|id|za)|com\.(?:ge|py)|my\.id|ne\.jp|net\.ms|nom\.za|web\.id|accountants|am|app|ar|army|beauty|best|bet|bio|biz|bond|cam|cc|cf|cfd|chat|cl|click|cloud|club|cm|company|consulting|country|cricket|cyou|date|dev|digital|directory|domains|download|enterprises|es|expert|fashion|finance|fit|foo|free|fun|ga|gdn|gf|gq|gu|help|i2p|icu|il|ing|ink|ir|jetzt|kim|kz|lat|life|limited|link|live|loan|lol|ltd|ly|me|meme|men|ml|mom|monster|mov|mq|one|online|ooo|party|photos|pictures|pizza|press|pro|pub|pw|racing|re|ren|rest|review|ro|rsvp|ru|run|sale|sbs|science|shop|site|so|social|solutions|space|store|stream|su|sx|tech|tk|today|tokyo|top|trade|tt|ua|uno|us|vip|vu|wang|website|win|work|works|world|ws|xin|xyz|zip|zone)\b'
  )
  // dating/spam/explicit content lures
  or regex.icontains(strings.replace_confusables(subject.base),
                     '(?:\bs\s?e\s?x\b|horny|hook.?up|private room|wanna meet|wants to meet|naked|porn|webcam|nudes?|sexting|erotic|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|bed partner)'
  )
  // action verbs + length
  or (
    strings.count(subject.base, " ") > 8
    and regex.icontains(strings.replace_confusables(subject.base),
                        '(?:call|dial|speak to|contact \d|to (?:stop|void|reverse|confirm|secure|verify|unfreeze))'
    )
  )
)

Detection logic

Scope: inbound message.

inbound message
sender.email.domain.root_domain is 'microsoftonline.com'
subject.subject contains 'account email verification code'
any of:
- strings.replace_confusables(subject.base) matches any of 2 patterns
  - \+?(?:[ilo0-9]{1}.)?$?[ilo0-9]{3}?$?.[ilo0-9]{3}.?[ilo0-9]{4}
  - \+?(?:[ilo0-9]{1,2})?\s?$?\d{3}$?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
- subject.base matches '(?:USD|\\$)\\s?\\d'
- subject.base matches '\\d+\\.\\d{2}\\s?(?:USD|usd)'
- subject.base matches '\\.(?:ac\\.th|biz\\.id|co\\.(?:cl|id|za)|com\\.(?:ge|py)|my\\.id|ne\\.jp|net\\.ms|nom\\.za|web\\.id|accountants|am|app|ar|army|beauty|best|bet|bio|biz|bond|cam|cc|cf|cfd|chat|cl|click|cloud|club|cm|company|consulting|country|cricket|cyou|date|dev|digital|directory|domains|download|enterprises|es|expert|fashion|finance|fit|foo|free|fun|ga|gdn|gf|gq|gu|help|i2p|icu|il|ing|ink|ir|jetzt|kim|kz|lat|life|limited|link|live|loan|lol|ltd|ly|me|meme|men|ml|mom|monster|mov|mq|one|online|ooo|party|photos|pictures|pizza|press|pro|pub|pw|racing|re|ren|rest|review|ro|rsvp|ru|run|sale|sbs|science|shop|site|so|social|solutions|space|store|stream|su|sx|tech|tk|today|tokyo|top|trade|tt|ua|uno|us|vip|vu|wang|website|win|work|works|world|ws|xin|xyz|zip|zone)\\b'
- strings.replace_confusables(subject.base) matches '(?:\\bs\\s?e\\s?x\\b|horny|hook.?up|private room|wanna meet|wants to meet|naked|porn|webcam|nudes?|sexting|erotic|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|bed partner)'
- all of:
  - strings.count(subject.base, ' ') > 8
  - strings.replace_confusables(subject.base) matches '(?:call|dial|speak to|contact \\d|to (?:stop|void|reverse|confirm|secure|verify|unfreeze))'

Inspects: sender.email.domain.root_domain, subject.base, subject.subject, type.inbound. Sensors: regex.icontains, strings.count, strings.icontains, strings.replace_confusables.

Indicators matched (9)

Field	Match	Value
`sender.email.domain.root_domain`	equals	`microsoftonline.com`
`strings.icontains`	substring	`account email verification code`
`regex.icontains`	regex	`\+?(?:[ilo0-9]{1}.)?$?[ilo0-9]{3}?$?.[ilo0-9]{3}.?[ilo0-9]{4}`
`regex.icontains`	regex	`\+?(?:[ilo0-9]{1,2})?\s?$?\d{3}$?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}`
`regex.icontains`	regex	`(?:USD\|\$)\s?\d`
`regex.icontains`	regex	`\d+\.\d{2}\s?(?:USD\|usd)`
`regex.icontains`	regex	\.(?:ac\.th\|biz\.id\|co\.(?:cl\|id\|za)\|com\.(?:ge\|py)\|my\.id\|ne\.jp\|net\.ms\|nom\.za\|web\.id\|accountants\|am\|app\|ar\|army\|beauty\|best\|bet\|bio\|biz\|bond\|cam\|cc\|cf\|cfd\|chat\|cl\|click\|cloud\|club\|cm\|company\|consulting\|country\|cricket\|cyou\|date\|dev\|digital\|directory\|domains\|download\|enterprises\|es\|expert\|fashion\|finance\|fit\|foo\|free\|fun\|ga\|gdn\|gf\|gq\|gu\|help\|i2p\|icu\|il\|ing\|ink\|ir\|jetzt\|kim\|kz\|lat\|life\|limited\|link\|live\|loan\|lol\|ltd\|ly\|me\|meme\|men\|ml\|mom\|monster\|mov\|mq\|one\|online\|ooo\|party\|photos\|pictures\|pizza\|press\|pro\|pub\|pw\|racing\|re\|ren\|rest\|review\|ro\|rsvp\|ru\|run\|sale\|sbs\|science\|shop\|site\|so\|social\|solutions\|space\|store\|stream\|su\|sx\|tech\|tk\|today\|tokyo\|top\|trade\|tt\|ua\|uno\|us\|vip\|vu\|wang\|website\|win\|work\|works\|world\|ws\|xin\|xyz\|zip\|zone)\b
`regex.icontains`	regex	`(?:\bs\s?e\s?x\b\|horny\|hook.?up\|private room\|wanna meet\|wants to meet\|naked\|porn\|webcam\|nudes?\|sexting\|erotic\|kinky\|seduce\|adult community\|cam shows\|local (?:girls?\|women\|single)\|bed partner)`
`regex.icontains`	regex	`(?:call\|dial\|speak to\|contact \d\|to (?:stop\|void\|reverse\|confirm\|secure\|verify\|unfreeze))`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)