detection.wiki

Detection rules › Sublime MQL

Service abuse: Task management message sent via SendGrid

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages impersonating task or productivity applications by using 'todo list' in the subject line or body while utilizing SendGrid infrastructure. The sender claims to be task-related through display name or body content but originates from non-legitimate domains without proper DMARC authentication.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering, Evasion

Event coverage

Message attribute
body.current_thread
headers.auth_summary
headers.return_path
sender.email
subject
type

Rule body MQL

type.inbound
// subject contains "todo list"
and (
  regex.icontains(subject.subject, "T[0o][-\\s]*D[o0][-\\s]*L[I1l]ST")
  // or we can check the body for todo list content with high cred_theft intent
  or (
    regex.icontains(body.current_thread.text,
                    "T[0o][-\\s]*D[o0][-\\s]*L[I1l]ST"
    )
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "cred_theft" and .confidence == "high"
    )
  )
)
// utilizing sendgrid infra
and headers.return_path.domain.domain == "sendgrid.net"
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Detection logic

Scope: inbound message.

Detects messages impersonating task or productivity applications by using 'todo list' in the subject line or body while utilizing SendGrid infrastructure. The sender claims to be task-related through display name or body content but originates from non-legitimate domains without proper DMARC authentication.

  1. inbound message
  2. any of:
    • subject.subject matches 'T[0o][-\\\\s]*D[o0][-\\\\s]*L[I1l]ST'
    • all of:
      • body.current_thread.text matches 'T[0o][-\\\\s]*D[o0][-\\\\s]*L[I1l]ST'
      • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
        • .name is 'cred_theft'
        • .confidence is 'high'
  3. headers.return_path.domain.domain is 'sendgrid.net'
  4. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  5. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.return_path.domain.domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, regex.icontains. Reference lists: $high_trust_sender_root_domains.

Indicators matched (4)

FieldMatchValue
regex.icontainsregexT[0o][-\\s]*D[o0][-\\s]*L[I1l]ST
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
headers.return_path.domain.domainequalssendgrid.net