detection.wiki

Detection rules › Sublime MQL

Attachment: PDF bid/proposal lure with credential theft indicators

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects single-page PDF attachments containing bid, proposal, RFP, RFQ, or quotation-related lures combined with high-confidence credential theft language or suspicious domains. The rule examines various locations including PDF URLs, OCR content, file names, subject lines, and message body for these indicators.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Credential Phishing
Tactics and techniquesPDF, Social engineering, Free file host, Free subdomain host

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.links (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
// only one attachment
and length(attachments) == 1
// only pdfs with one page
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(attachments, .file_type == 'pdf' and beta.parse_exif(.).page_count == 1)
// two of these...
and 2 of (
  // bid/rfp/proposal phrases commonly observed in lures which are in the display text of a url from the pdf
  any(attachments,
      any(file.explode(.),
          any(.scan.url.urls,
              regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                              '(?:\b(?:request|review)\b.{1,5}\b(?:bid|proposal|rfp|rfq|quotation)\b|\b(?:bid|proposal|rfp|rfq|quotation)\b.{1,5}\b(?:request|review)\b)'
              )
          )
      )
  ),
  (
    // bid/rfp/proposal phrases commonly observed in lures which are in various spots in the message
    any([subject.base, sender.display_name, body.current_thread.text],
        regex.icontains(., '\b(?:bid|proposal|rfp|rfq|quotation)\b')
    )
  ),
  // bid/rfp/proposal phrases commonly observed in lures which are in the file name
  any(attachments,
      regex.icontains(.file_name, '\b(?:bid|proposal|rfp|rfq|quotation)\b')
  ),
  any(attachments,
      any(file.explode(.),
          // bid/rfp/proposal phrases commonly observed in lures which are in the ocr of the pdf
          regex.icontains(.scan.ocr.raw,
                          '(?:\b(?:request|review)\b.{1,5}\\b(?:bid|proposal|rfp|rfq|quotation)\b|\b(?:bid|proposal|rfp|rfq|quotation)\b.{1,5}\b(?:request|review)\b)'
          )
      )
  ),
  (
    any(attachments,
        any(file.explode(.),
            any(.scan.url.urls,
                // bid/rfp/proposal phrases commonly observed in lures which are in the url
                regex.icontains(.url,
                                '(?:bid|proposal|agreement|contract|settlement|RFQ|RFP|quotation)'
                )
            )
        )
    )
  )
)

// ocr indicates high confidence cred theft
and (
  any(attachments,
      any(file.explode(.),
          any(ml.nlu_classifier(.scan.ocr.raw).intents,
              .name == 'cred_theft' and .confidence == 'high'
          )
          or any(ml.nlu_classifier(.scan.ocr.raw).topics,
                 .name == 'Purchase Orders' and .confidence == 'high'
          )
      )
  )
  // message body current thread indicates high confidence cred theft
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == 'cred_theft' and .confidence == 'high'
  )
  // message body current thread indicates high confidence cred theft
  or any(ml.nlu_classifier(body.current_thread.text).topics,
         .name == 'Purchase Orders' and .confidence == 'high'
  )
)

// pdf contains some suspicious url domain
and (
  any(attachments,
      any(file.explode(.),
          any(.scan.url.urls,
              .domain.root_domain in $self_service_creation_platform_domains
              or .domain.domain in $self_service_creation_platform_domains
              or .domain.root_domain in $free_file_hosts
              or .domain.domain in $free_file_hosts
              or .domain.root_domain in $free_subdomain_hosts
              or .domain.domain in $free_subdomain_hosts
              or .domain.tld in $suspicious_tlds
              or .domain.domain in $url_shorteners
              or .domain.root_domain in $url_shorteners
          )
      )
  )
)
// we dont want emails where all the links are docusign or dotloop
and not all(body.links,
            .href_url.domain.root_domain in (
              'docusign.net',
              'docusign.com',
              'dotloop.com'
            )
)
// negating solicited senders is necessary due to the nature of the rule
and not profile.by_sender().solicited

// negate workflow robot
and not (
  sender.email.local_part == 'workflow.robot'
  and sender.email.domain.root_domain == 'effem.com'
)

Detection logic

Scope: inbound message.

Detects single-page PDF attachments containing bid, proposal, RFP, RFQ, or quotation-related lures combined with high-confidence credential theft language or suspicious domains. The rule examines various locations including PDF URLs, OCR content, file names, subject lines, and message body for these indicators.

  1. inbound message
  2. length(attachments) is 1
  3. any of attachments where all hold:
    • .file_type is 'pdf'
    • beta.parse_exif(.).page_count is 1
  4. at least 2 of:
    • any of attachments where:
      • any of file.explode(.) where:
        • any of .scan.url.urls where:
          • ml.link_analysis(., mode='aggressive').final_dom.display_text matches '(?:\\b(?:request|review)\\b.{1,5}\\b(?:bid|proposal|rfp|rfq|quotation)\\b|\\b(?:bid|proposal|rfp|rfq|quotation)\\b.{1,5}\\b(?:request|review)\\b)'
    • any of [subject.base, sender.display_name, body.current_thread.text] where:
      • . matches '\\b(?:bid|proposal|rfp|rfq|quotation)\\b'
    • any of attachments where:
      • .file_name matches '\\b(?:bid|proposal|rfp|rfq|quotation)\\b'
    • any of attachments where:
      • any of file.explode(.) where:
        • .scan.ocr.raw matches '(?:\\b(?:request|review)\\b.{1,5}\\\\b(?:bid|proposal|rfp|rfq|quotation)\\b|\\b(?:bid|proposal|rfp|rfq|quotation)\\b.{1,5}\\b(?:request|review)\\b)'
    • any of attachments where:
      • any of file.explode(.) where:
        • any of .scan.url.urls where:
          • .url matches '(?:bid|proposal|agreement|contract|settlement|RFQ|RFP|quotation)'
  5. any of:
    • any of attachments where:
      • any of file.explode(.) where any holds:
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
          • .name is 'cred_theft'
          • .confidence is 'high'
        • any of ml.nlu_classifier(.scan.ocr.raw).topics where all hold:
          • .name is 'Purchase Orders'
          • .confidence is 'high'
    • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
      • .name is 'cred_theft'
      • .confidence is 'high'
    • any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
      • .name is 'Purchase Orders'
      • .confidence is 'high'
  6. any of attachments where:
    • any of file.explode(.) where:
      • any of .scan.url.urls where any holds:
        • .domain.root_domain in $self_service_creation_platform_domains
        • .domain.domain in $self_service_creation_platform_domains
        • .domain.root_domain in $free_file_hosts
        • .domain.domain in $free_file_hosts
        • .domain.root_domain in $free_subdomain_hosts
        • .domain.domain in $free_subdomain_hosts
        • .domain.tld in $suspicious_tlds
        • .domain.domain in $url_shorteners
        • .domain.root_domain in $url_shorteners
  7. not:
    • all of body.links where:
      • .href_url.domain.root_domain in ('docusign.net', 'docusign.com', 'dotloop.com')
  8. not:
    • profile.by_sender().solicited
  9. not:
    • all of:
      • sender.email.local_part is 'workflow.robot'
      • sender.email.domain.root_domain is 'effem.com'

Inspects: attachments[].file_name, attachments[].file_type, body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, sender.display_name, sender.email.domain.root_domain, sender.email.local_part, subject.base, type.inbound. Sensors: beta.parse_exif, file.explode, ml.link_analysis, ml.nlu_classifier, profile.by_sender, regex.icontains. Reference lists: $free_file_hosts, $free_subdomain_hosts, $self_service_creation_platform_domains, $suspicious_tlds, $url_shorteners.

Indicators matched (18)

FieldMatchValue
attachments[].file_typeequalspdf
regex.icontainsregex(?:\b(?:request|review)\b.{1,5}\b(?:bid|proposal|rfp|rfq|quotation)\b|\b(?:bid|proposal|rfp|rfq|quotation)\b.{1,5}\b(?:request|review)\b)
regex.icontainsregex\b(?:bid|proposal|rfp|rfq|quotation)\b
regex.icontainsregex(?:\b(?:request|review)\b.{1,5}\\b(?:bid|proposal|rfp|rfq|quotation)\b|\b(?:bid|proposal|rfp|rfq|quotation)\b.{1,5}\b(?:request|review)\b)
regex.icontainsregex(?:bid|proposal|agreement|contract|settlement|RFQ|RFP|quotation)
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].nameequalscred_theft
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].confidenceequalshigh
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).topics[].nameequalsPurchase Orders
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).topics[].confidenceequalshigh
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
ml.nlu_classifier(body.current_thread.text).topics[].nameequalsPurchase Orders
6 more
ml.nlu_classifier(body.current_thread.text).topics[].confidenceequalshigh
body.links[].href_url.domain.root_domainmemberdocusign.net
body.links[].href_url.domain.root_domainmemberdocusign.com
body.links[].href_url.domain.root_domainmemberdotloop.com
sender.email.local_partequalsworkflow.robot
sender.email.domain.root_domainequalseffem.com