detection.wiki

Detection rules › Sublime MQL

Impersonation: Fake Gmail attachment

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand

Event coverage

Message attribute
body
body.current_thread
body.html
body.links (collection)
body.plain
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and any([body.html.display_text, body.current_thread.text, body.plain.raw],
        length(.) < 2500
        and (
          strings.icontains(., 'Scanned by Gmail')
          or (
            0 < regex.icount(., '\.pdf|\.(doc|xls|ppt)x?') < 3
            and any(body.links,
                    regex.icontains(.display_text, 'd[ao0]wnl[ao0]{2}d all')
            )
            and length(body.links) < 4
          )
        )
        and regex.icontains(.,
                            '[KM]b\b'
        ) // file size
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// if the sender has been marked as malicious, but has FPs, don't alert
and (
  (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  or not profile.by_sender().any_messages_malicious_or_spam
)

Detection logic

Scope: inbound message.

Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.

  1. inbound message
  2. any of [body.html.display_text, body.current_thread.text, body.plain.raw] where all hold:
    • length(.) < 2500
    • any of:
      • . contains 'Scanned by Gmail'
      • all of:
        • all of:
          • regex.icount(., '\\.pdf|\\.(doc|xls|ppt)x?') > 0
          • regex.icount(., '\\.pdf|\\.(doc|xls|ppt)x?') < 3
        • any of body.links where:
          • .display_text matches 'd[ao0]wnl[ao0]{2}d all'
        • length(body.links) < 4
    • . matches '[KM]b\\b'
  3. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  4. any of:
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
    • not:
      • profile.by_sender().any_messages_malicious_or_spam

Inspects: body.current_thread.text, body.html.display_text, body.links, body.links[].display_text, body.plain.raw, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, regex.icontains, regex.icount, strings.icontains. Reference lists: $high_trust_sender_root_domains.

Indicators matched (4)

FieldMatchValue
strings.icontainssubstringScanned by Gmail
regex.icountregex\.pdf|\.(doc|xls|ppt)x?
regex.icontainsregexd[ao0]wnl[ao0]{2}d all
regex.icontainsregex[KM]b\b