Detection rules › Sublime MQL
Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Free file host, Free subdomain host, Social engineering |
Event coverage
Rule body MQL
type.inbound
and length(attachments) == 1
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
// identifies suspicious URLs in the attached EML
and any(file.parse_eml(.).body.links,
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
and ml.link_analysis(., mode="aggressive").credphish.confidence in (
"medium",
"high"
)
)
// or any links in the final dom lead to a suspicious tld
or any(ml.link_analysis(.).final_dom.links,
.href_url.domain.tld in $suspicious_tlds
or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
)
// link redirects to a suspicious TLD
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
or (
// suspicious redirects
// 3 or more different domains with 2 or more different TLDs
// careful because click trackers will always make this at least 2
// different domains and not unlikely 2 or more TLDs
length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld
)
)
) >= 2
and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.domain
)
)
) >= 3
)
)
// identifies other suspicious indicators
and (
// engaging language in the original body
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// // engaging language in the attached EML
or any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).entities,
.name == "request"
)
// recipient SLD impersonated in the subject or display name
or any(recipients.to,
// ensure that we're checking the org SLD
.email.domain.sld in $org_slds
and (
strings.icontains(subject.subject, .email.domain.sld)
or strings.icontains(sender.display_name, .email.domain.sld)
)
)
// mismatched sender (From) and Reply-to + freemail
or any(headers.reply_to,
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
and .email.domain.root_domain in $free_email_providers
)
)
or any($suspicious_subjects, strings.icontains(subject.subject, .))
or regex.icontains(subject.subject,
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.been",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"document.received",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"report",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"undelivered message",
"unread.*doc",
"unusual.activity",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
)
)
)
// exclude bounce backs & read receipts
and not strings.ilike(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
// exclude optonline deprecated mailbox returns
and (
not strings.starts_with(sender.display_name, "Auto-reply")
and sender.email.domain.root_domain == "optonline.net"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
- inbound message
- length(attachments) is 1
any of
attachmentswhere all hold:any of:
- .content_type is 'message/rfc822'
- .file_extension is 'eml'
any of
file.parse_eml(.).body.linkswhere any holds:all of:
- ml.link_analysis(.).credphish.disposition is 'phishing'
- ml.link_analysis(.).credphish.confidence in ('medium', 'high')
any of
ml.link_analysis(.).final_dom.linkswhere any holds:- .href_url.domain.tld in $suspicious_tlds
- ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
any of
ml.link_analysis(., mode='aggressive').redirect_historywhere:- .domain.tld in $suspicious_tlds
all of:
- length(distinct(map(ml.link_analysis(., mode='aggressive').redirect_history, .domain.tld))) ≥ 2
- length(distinct(map(ml.link_analysis(., mode='aggressive').redirect_history, .domain.domain))) ≥ 3
any of:
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'request'
any of
ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).entitieswhere:- .name is 'request'
any of
recipients.towhere all hold:- .email.domain.sld in $org_slds
any of:
- strings.icontains(subject.subject)
- strings.icontains(sender.display_name)
any of
headers.reply_towhere all hold:- length(headers.reply_to) > 0
all of
headers.reply_towhere all hold:- .email.domain.root_domain is not sender.email.domain.root_domain
- .email.domain.root_domain in $free_email_providers
any of
$suspicious_subjectswhere:- strings.icontains(subject.subject)
subject.subject matches any of 123 patterns
termination.*notice38417:completed[il1]{2}mit.*ma[il1]{2} ?bo?x[il][il][il]egai[ -][li][li][li]ega[li] attempt[ng]-?[io]n .*block[ng]-?[io]n .*cancel[ng]-?[io]n .*deactiv[ng]-?[io]n .*disablaction.*requiredabandon.*packageabout.your.accountacc(ou)?n?t (is )?on ho[li]dacc(ou)?n?t.*terminatacc(oun)?t.*[il1]{2}mitationaccess.*limitationaccount (will be )?blockaccount.*de-?activataccount.*lockedaccount.*re-verificationaccount.*securityaccount.*suspensionaccount.has.beenaccount.has.expiredaccount.will.be.blockedaccount v[il]o[li]atactivity.*acc(oun)?talmost.fullapp[li]e.[il]dauthenticate.*accountbeen.*suspendclos.*of.*account.*processedconfirm.your.accountcourier.*ablecrediential.*notifdeactivation.*in.*progressdelivery.*attempt.*faileddocument.receiveddocumented.*shared.*with.*youdropbox.*documente-?ma[il1]+ .{010}suspene-?ma[il1]{1} usere-?ma[il1]{2} acce-?ma[il1]{2}.*up.?gradee.?ma[il1]{2}.*servere.?ma[il1]{2}.*suspendemail.updatefaxed youfraud(ulent)?.*chargefrom.helpdeskfu[il1]{2}.*ma[il1]+[ -]?boxhas.been.*suspendedhas.been.limitedhave.lockedhe[li]p ?desk upgradeheipdeski[il]iega[il]ii[il]ega[il]incoming e?mailincoming.*faxlock.*securityma[il1]{1}[ -]?box.*quoma[il1]{2}[ -]?box.*fu[il1]ma[il1]{2}box.*[il1]{2}mitma[il1]{2}box stormail on.?holdmail.*box.*migrationmail.*de-?activatmail.update.requiredmails.*pendingmessages.*pendingmissed.*shipping.*notificationmissed.shipment.notificationmust.update.your.accountnew [sl][io]g?[nig][ -]?in fromnew voice ?-?mailnotifications.*pendingoffice.*3.*6.*5.*suspendoffice365on google docs with youonline docpassword.*compromisedperiodic maintenancepotential(ly)? unauthorizedrefund not approvedreportrevised.*policyscamscanned.?invoicesecured?.updatesecurity breachsecurltysigned.*deliverystatus of your .{314}? ?deliverysusp[il1]+c[il1]+ous.*act[il1]+v[il1]+tysuspicious.*sign.*[io]nsuspicious.activittemporar(il)?y deactivatetemporar[il1]{2}y disab[li]edtemporarily.*lockun-?usua[li].activityunable.*deliverunauthorized.*activitunauthorized.deviceundelivered messageunread.*docunusual.activityupgrade.*accountupgrade.noticeurgent messageurgent.verificationv[il1]o[li1]at[il1]on securityva[il1]{1}date.*ma[il1]{2}[ -]?boxverification ?-?requireverification( )?-?needverify.your?.accountweb ?-?ma[il1]{2}web[ -]?ma[il1]{2}will.be.suspendedyour (customer )?account .asyour.office.365your.online.access
not:
sender.email.local_part matches any of 3 patterns
*postmaster**mailer-daemon**administrator*
all of:
not:
- sender.display_name starts with 'Auto-reply'
- sender.email.domain.root_domain is 'optonline.net'
not:
- subject.subject matches '^(undeliverable|read:)'
not:
any of
attachmentswhere:- .content_type is 'message/delivery-status'
not:
any of
headers.referenceswhere:- strings.contains(body.html.display_text)
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_type, attachments[].file_extension, body.current_thread.text, body.html.display_text, headers.references, headers.reply_to, headers.reply_to[].email.domain.root_domain, recipients.to, recipients.to[].email.domain.sld, sender.display_name, sender.email.domain.root_domain, sender.email.local_part, subject.subject, type.inbound. Sensors: file.parse_eml, ml.link_analysis, ml.nlu_classifier, profile.by_sender, regex.icontains, strings.contains, strings.icontains, strings.ilike, strings.starts_with. Reference lists: $free_email_providers, $org_slds, $suspicious_subjects, $suspicious_tlds.
Indicators matched (134)
| Field | Match | Value |
|---|---|---|
attachments[].content_type | equals | message/rfc822 |
attachments[].file_extension | equals | eml |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | request |
ml.nlu_classifier(file.parse_eml(attachments[]).body.current_thread.text).entities[].name | equals | request |
regex.icontains | regex | termination.*notice |
regex.icontains | regex | 38417 |
regex.icontains | regex | :completed |
regex.icontains | regex | [il1]{2}mit.*ma[il1]{2} ?bo?x |
regex.icontains | regex | [il][il][il]egai[ -] |
regex.icontains | regex | [li][li][li]ega[li] attempt |
regex.icontains | regex | [ng]-?[io]n .*block |
regex.icontains | regex | [ng]-?[io]n .*cancel |
122 more
regex.icontains | regex | [ng]-?[io]n .*deactiv |
regex.icontains | regex | [ng]-?[io]n .*disabl |
regex.icontains | regex | action.*required |
regex.icontains | regex | abandon.*package |
regex.icontains | regex | about.your.account |
regex.icontains | regex | acc(ou)?n?t (is )?on ho[li]d |
regex.icontains | regex | acc(ou)?n?t.*terminat |
regex.icontains | regex | acc(oun)?t.*[il1]{2}mitation |
regex.icontains | regex | access.*limitation |
regex.icontains | regex | account (will be )?block |
regex.icontains | regex | account.*de-?activat |
regex.icontains | regex | account.*locked |
regex.icontains | regex | account.*re-verification |
regex.icontains | regex | account.*security |
regex.icontains | regex | account.*suspension |
regex.icontains | regex | account.has.been |
regex.icontains | regex | account.has.expired |
regex.icontains | regex | account.will.be.blocked |
regex.icontains | regex | account v[il]o[li]at |
regex.icontains | regex | activity.*acc(oun)?t |
regex.icontains | regex | almost.full |
regex.icontains | regex | app[li]e.[il]d |
regex.icontains | regex | authenticate.*account |
regex.icontains | regex | been.*suspend |
regex.icontains | regex | clos.*of.*account.*processed |
regex.icontains | regex | confirm.your.account |
regex.icontains | regex | courier.*able |
regex.icontains | regex | crediential.*notif |
regex.icontains | regex | deactivation.*in.*progress |
regex.icontains | regex | delivery.*attempt.*failed |
regex.icontains | regex | document.received |
regex.icontains | regex | documented.*shared.*with.*you |
regex.icontains | regex | dropbox.*document |
regex.icontains | regex | e-?ma[il1]+ .{010}suspen |
regex.icontains | regex | e-?ma[il1]{1} user |
regex.icontains | regex | e-?ma[il1]{2} acc |
regex.icontains | regex | e-?ma[il1]{2}.*up.?grade |
regex.icontains | regex | e.?ma[il1]{2}.*server |
regex.icontains | regex | e.?ma[il1]{2}.*suspend |
regex.icontains | regex | email.update |
regex.icontains | regex | faxed you |
regex.icontains | regex | fraud(ulent)?.*charge |
regex.icontains | regex | from.helpdesk |
regex.icontains | regex | fu[il1]{2}.*ma[il1]+[ -]?box |
regex.icontains | regex | has.been.*suspended |
regex.icontains | regex | has.been.limited |
regex.icontains | regex | have.locked |
regex.icontains | regex | he[li]p ?desk upgrade |
regex.icontains | regex | heipdesk |
regex.icontains | regex | i[il]iega[il] |
regex.icontains | regex | ii[il]ega[il] |
regex.icontains | regex | incoming e?mail |
regex.icontains | regex | incoming.*fax |
regex.icontains | regex | lock.*security |
regex.icontains | regex | ma[il1]{1}[ -]?box.*quo |
regex.icontains | regex | ma[il1]{2}[ -]?box.*fu[il1] |
regex.icontains | regex | ma[il1]{2}box.*[il1]{2}mit |
regex.icontains | regex | ma[il1]{2}box stor |
regex.icontains | regex | mail on.?hold |
regex.icontains | regex | mail.*box.*migration |
regex.icontains | regex | mail.*de-?activat |
regex.icontains | regex | mail.update.required |
regex.icontains | regex | mails.*pending |
regex.icontains | regex | messages.*pending |
regex.icontains | regex | missed.*shipping.*notification |
regex.icontains | regex | missed.shipment.notification |
regex.icontains | regex | must.update.your.account |
regex.icontains | regex | new [sl][io]g?[nig][ -]?in from |
regex.icontains | regex | new voice ?-?mail |
regex.icontains | regex | notifications.*pending |
regex.icontains | regex | office.*3.*6.*5.*suspend |
regex.icontains | regex | office365 |
regex.icontains | regex | on google docs with you |
regex.icontains | regex | online doc |
regex.icontains | regex | password.*compromised |
regex.icontains | regex | periodic maintenance |
regex.icontains | regex | potential(ly)? unauthorized |
regex.icontains | regex | refund not approved |
regex.icontains | regex | report |
regex.icontains | regex | revised.*policy |
regex.icontains | regex | scam |
regex.icontains | regex | scanned.?invoice |
regex.icontains | regex | secured?.update |
regex.icontains | regex | security breach |
regex.icontains | regex | securlty |
regex.icontains | regex | signed.*delivery |
regex.icontains | regex | status of your .{314}? ?delivery |
regex.icontains | regex | susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty |
regex.icontains | regex | suspicious.*sign.*[io]n |
regex.icontains | regex | suspicious.activit |
regex.icontains | regex | temporar(il)?y deactivate |
regex.icontains | regex | temporar[il1]{2}y disab[li]ed |
regex.icontains | regex | temporarily.*lock |
regex.icontains | regex | un-?usua[li].activity |
regex.icontains | regex | unable.*deliver |
regex.icontains | regex | unauthorized.*activit |
regex.icontains | regex | unauthorized.device |
regex.icontains | regex | undelivered message |
regex.icontains | regex | unread.*doc |
regex.icontains | regex | unusual.activity |
regex.icontains | regex | upgrade.*account |
regex.icontains | regex | upgrade.notice |
regex.icontains | regex | urgent message |
regex.icontains | regex | urgent.verification |
regex.icontains | regex | v[il1]o[li1]at[il1]on security |
regex.icontains | regex | va[il1]{1}date.*ma[il1]{2}[ -]?box |
regex.icontains | regex | verification ?-?require |
regex.icontains | regex | verification( )?-?need |
regex.icontains | regex | verify.your?.account |
regex.icontains | regex | web ?-?ma[il1]{2} |
regex.icontains | regex | web[ -]?ma[il1]{2} |
regex.icontains | regex | will.be.suspended |
regex.icontains | regex | your (customer )?account .as |
regex.icontains | regex | your.office.365 |
regex.icontains | regex | your.online.access |
strings.ilike | substring | *postmaster* |
strings.ilike | substring | *mailer-daemon* |
strings.ilike | substring | *administrator* |
strings.starts_with | prefix | Auto-reply |
sender.email.domain.root_domain | equals | optonline.net |
regex.icontains | regex | ^(undeliverable|read:) |
attachments[].content_type | equals | message/delivery-status |