Detection rules › Sublime MQL
Attachment: Calendar invite with suspicious link leading to an open redirect
Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Free email provider, Free file host, Free subdomain host, ICS Phishing, Open redirect |
Event coverage
Rule body MQL
type.inbound
and any(attachments,
(
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
and any(file.explode(.),
any(.scan.url.urls,
(
.domain.domain in $free_file_hosts
or (
.domain.root_domain in $free_subdomain_hosts
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and .domain.subdomain != "www"
)
)
and any(ml.link_analysis(.).final_dom.links,
any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.
- inbound message
any of
attachmentswhere all hold:any of:
- .file_extension is 'ics'
- .content_type in ('application/ics', 'text/calendar')
any of
file.explode(.)where:any of
.scan.url.urlswhere all hold:any of:
- .domain.domain in $free_file_hosts
all of:
- .domain.root_domain in $free_subdomain_hosts
- .domain.subdomain is set
none of:
- .url ends with 'jpeg'
- .url ends with 'png'
- .domain.subdomain is not 'www'
any of
ml.link_analysis(.).final_dom.linkswhere:any of
.href_url.rewrite.encoderswhere:- . contains 'open_redirect'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
any of
distinct(headers.hops)where:- .authentication_results.dmarc matches '*fail'
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_type, attachments[].file_extension, headers.hops, headers.hops[].authentication_results.dmarc, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.link_analysis, profile.by_sender, strings.ends_with, strings.icontains, strings.ilike. Reference lists: $free_file_hosts, $free_subdomain_hosts, $high_trust_sender_root_domains.
Indicators matched (7)
| Field | Match | Value |
|---|---|---|
attachments[].file_extension | equals | ics |
attachments[].content_type | member | application/ics |
attachments[].content_type | member | text/calendar |
strings.ends_with | suffix | jpeg |
strings.ends_with | suffix | png |
strings.icontains | substring | open_redirect |
strings.ilike | substring | *fail |