detection.wiki

Detection rules › Sublime MQL

Attachment: EML file with IPFS links

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Free file host, Free subdomain host, IPFS

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and any(attachments,
        (.content_type == "message/rfc822" or .file_extension in ('eml'))
        and any(file.explode(.),
                any(.scan.url.urls,
                    strings.icontains(ml.link_analysis(.).effective_url.url,
                                      'ipfs'
                    )
                    or (
                      regex.icontains(ml.link_analysis(.).effective_url.path,
                                      '[\.-/]ipfs|ipfs[\.-/]'
                      )
                      and ml.link_analysis(.).effective_url.domain.domain not in $org_domains
                      and (
                        (
                          // don't include high rep domains
                          ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
                          and ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
                        )
                        // if it's in Tranco or Umbrella, still include it if it's one of these
                        or ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
                        or ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
                        or ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
                      )
                    )
                )
        )
)

Detection logic

Scope: inbound message.

Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .content_type is 'message/rfc822'
      • .file_extension in ('eml')
    • any of file.explode(.) where:
      • any of .scan.url.urls where any holds:
        • ml.link_analysis(.).effective_url.url contains 'ipfs'
        • all of:
          • ml.link_analysis(.).effective_url.path matches '[\\.-/]ipfs|ipfs[\\.-/]'
          • ml.link_analysis(.).effective_url.domain.domain not in $org_domains
          • any of:
            • all of:
              • ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
              • ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
            • ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
            • ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
            • ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts

Inspects: attachments[].content_type, attachments[].file_extension, type.inbound. Sensors: file.explode, ml.link_analysis, regex.icontains, strings.icontains. Reference lists: $free_file_hosts, $free_subdomain_hosts, $org_domains, $tranco_1m, $umbrella_1m.

Indicators matched (4)

FieldMatchValue
attachments[].content_typeequalsmessage/rfc822
attachments[].file_extensionmembereml
strings.icontainssubstringipfs
regex.icontainsregex[\.-/]ipfs|ipfs[\.-/]