detection.wiki

Detection rules › Sublime MQL

Credential phishing: Image as content, short or no body contents

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Image as content

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
sender.email
type

Rule body MQL

type.inbound
and length(body.links) < 2
and 0 < (length(attachments)) < 3
and (
  // body text is very short
  (
    0 <= (length(body.current_thread.text)) < 10
    or body.current_thread.text is null
  )
  or (
    length(body.current_thread.text) < 900
    // or body is most likely all warning banner (text contains the sender and common warning banner language)
    and (
      (
        strings.contains(body.current_thread.text, sender.email.email)
        and strings.contains(body.current_thread.text, 'caution')
      )
      or regex.icontains(body.current_thread.text,
                         "intended recipient's use only|external email|sent from outside|you don't often"
      )
    )
  )
)
and (
  all(attachments,
      (.file_type in $file_types_images)
      and (
        any(file.explode(.),
            any(.scan.exiftool.fields, .value == "Truncated PNG image")
            or (
              any(ml.logo_detect(..).brands, .name is not null)
              and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                      .name == "cred_theft" and .confidence == "high"
              )
            )
        )
      )
  )
)

Detection logic

Scope: inbound message.

This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.

  1. inbound message
  2. length(body.links) < 2
  3. all of:
    • length(attachments) > 0
    • length(attachments) < 3
  4. any of:
    • any of:
      • all of:
        • length(body.current_thread.text) ≥ 0
        • length(body.current_thread.text) < 10
      • body.current_thread.text is missing
    • all of:
      • length(body.current_thread.text) < 900
      • any of:
        • all of:
          • strings.contains(body.current_thread.text)
          • body.current_thread.text contains 'caution'
        • body.current_thread.text matches "intended recipient's use only|external email|sent from outside|you don't often"
  5. all of attachments where all hold:
    • .file_type in $file_types_images
    • any of file.explode(.) where any holds:
      • any of .scan.exiftool.fields where:
        • .value is 'Truncated PNG image'
      • all of:
        • any of ml.logo_detect(.).brands where:
          • .name is set
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
          • .name is 'cred_theft'
          • .confidence is 'high'

Inspects: attachments[].file_type, body.current_thread.text, body.links, sender.email.email, type.inbound. Sensors: file.explode, ml.logo_detect, ml.nlu_classifier, regex.icontains, strings.contains. Reference lists: $file_types_images.

Indicators matched (5)

FieldMatchValue
strings.containssubstringcaution
regex.icontainsregexintended recipient's use only|external email|sent from outside|you don't often
file.explode(attachments[])[].scan.exiftool.fields[].valueequalsTruncated PNG image
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].nameequalscred_theft
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].confidenceequalshigh