Detection rules › Sublime MQL
Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Evasion, PDF |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension in ("eml"))
and (
// links in attached EML body
any(file.parse_eml(.).body.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path, '/common/reprocess')
and strings.icontains(.href_url.query_params, 'ctx=')
and strings.icontains(.href_url.query_params, 'sessionId=')
)
)
)
// links in PDF and HTML attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type in ("pdf", "html")
),
any(file.explode(.),
any(.scan.url.urls,
.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.path, '/common/reprocess')
and strings.icontains(.query_params, 'ctx=')
and strings.icontains(.query_params, 'sessionId=')
)
)
)
)
)
// links in ICS attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type == "ics"
or .file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
),
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(beta.file.parse_ics(.).events,
any(.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path,
'/common/reprocess'
)
and strings.icontains(.href_url.query_params,
'ctx='
)
and strings.icontains(.href_url.query_params,
'sessionId='
)
)
)
)
)
)
)
)
Detection logic
Scope: inbound message.
Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files.
- inbound message
any of
attachmentswhere all hold:any of:
- .content_type is 'message/rfc822'
- .file_extension in ('eml')
any of:
any of
file.parse_eml(.).body.linkswhere all hold:- .href_url.domain.domain is 'login.microsoftonline.com'
any of:
.href_url.query_params matches any of 5 patterns
*offline_access**.readwrite**.read**ctx=**prompt=none*
all of:
- .href_url.path contains '/common/reprocess'
- .href_url.query_params contains 'ctx='
- .href_url.query_params contains 'sessionId='
any of
filter(...)where:any of
file.explode(.)where:any of
.scan.url.urlswhere all hold:- .domain.domain is 'login.microsoftonline.com'
any of:
.query_params matches any of 5 patterns
*offline_access**.readwrite**.read**ctx=**prompt=none*
all of:
- .path contains '/common/reprocess'
- .query_params contains 'ctx='
- .query_params contains 'sessionId='
any of
filter(...)where:any of
beta.file.parse_ics(.).eventswhere:any of
.linkswhere all hold:- .href_url.domain.domain is 'login.microsoftonline.com'
any of:
.href_url.query_params matches any of 5 patterns
*offline_access**.readwrite**.read**ctx=**prompt=none*
all of:
- .href_url.path contains '/common/reprocess'
- .href_url.query_params contains 'ctx='
- .href_url.query_params contains 'sessionId='
Inspects: attachments[].content_type, attachments[].file_extension, type.inbound. Sensors: beta.file.parse_ics, file.explode, file.parse_eml, strings.icontains, strings.ilike.
Indicators matched (19)
| Field | Match | Value |
|---|---|---|
attachments[].content_type | equals | message/rfc822 |
attachments[].file_extension | member | eml |
file.parse_eml(attachments[]).body.links[].href_url.domain.domain | equals | login.microsoftonline.com |
strings.ilike | substring | *offline_access* |
strings.ilike | substring | *.readwrite* |
strings.ilike | substring | *.read* |
strings.ilike | substring | *ctx=* |
strings.ilike | substring | *prompt=none* |
strings.icontains | substring | /common/reprocess |
strings.icontains | substring | ctx= |
strings.icontains | substring | sessionId= |
file.parse_eml(attachments[]).attachments[].file_type | member | pdf |
7 more
file.parse_eml(attachments[]).attachments[].file_type | member | html |
file.explode(filter(...)[])[].scan.url.urls[].domain.domain | equals | login.microsoftonline.com |
file.parse_eml(attachments[]).attachments[].file_type | equals | ics |
file.parse_eml(attachments[]).attachments[].file_extension | equals | ics |
file.parse_eml(attachments[]).attachments[].content_type | member | application/ics |
file.parse_eml(attachments[]).attachments[].content_type | member | text/calendar |
beta.file.parse_ics(filter(...)[]).events[].links[].href_url.domain.domain | equals | login.microsoftonline.com |