detection.wiki

Detection rules › Sublime MQL

Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Social engineering

Event coverage

Message attribute
attachments (collection)
headers (collection)
headers.hops (collection)
sender.email
type

Rule body MQL

type.inbound
and any(attachments,
        .file_type == "unknown"
        and (.content_type == "message/rfc822" or .file_extension in ('eml'))
        and regex.contains(file.parse_eml(.).subject.subject,
                           '(shared.{0,30}with you|View Document)'
        )
        and 0 < length(file.parse_eml(.).body.links) < 10
        and file.parse_eml(.).sender.email.email not in $recipient_emails

        // exclude bounce backs & read receipts
        and not strings.like(file.parse_eml(.).sender.email.local_part,
                             "*postmaster*",
                             "*mailer-daemon*",
                             "*administrator*"
        )
        and not regex.imatch(file.parse_eml(.).subject.subject,
                             "(undeliverable|read:).*"
        )
        and not any(file.parse_eml(.).attachments,
                    .content_type == "message/delivery-status"
        )

        // negate highly trusted sender domains in the nested eml unless they fail DMARC
        and (
          (
            file.parse_eml(.).sender.email.domain.root_domain in $high_trust_sender_root_domains
            and (
              any(distinct(file.parse_eml(.).headers.hops,
                           .authentication_results.dmarc is not null
                  ),
                  strings.ilike(.authentication_results.dmarc, "*fail")
              )
            )
          )
          or file.parse_eml(.).sender.email.domain.root_domain not in $high_trust_sender_root_domains
        )
        // negate org domains that passed dmarc
        and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.

  1. inbound message
  2. any of attachments where all hold:
    • .file_type is 'unknown'
    • any of:
      • .content_type is 'message/rfc822'
      • .file_extension in ('eml')
    • file.parse_eml(.).subject.subject matches '(shared.{0,30}with you|View Document)'
    • all of:
      • length(file.parse_eml(.).body.links) > 0
      • length(file.parse_eml(.).body.links) < 10
    • file.parse_eml(.).sender.email.email not in $recipient_emails
    • not:
      • file.parse_eml(.).sender.email.local_part matches any of 3 patterns
        • *postmaster*
        • *mailer-daemon*
        • *administrator*
    • not:
      • file.parse_eml(.).subject.subject matches '(undeliverable|read:).*'
    • not:
      • any of file.parse_eml(.).attachments where:
        • .content_type is 'message/delivery-status'
    • any of:
      • all of:
        • file.parse_eml(.).sender.email.domain.root_domain in $high_trust_sender_root_domains
        • any of distinct(...) where:
          • .authentication_results.dmarc matches '*fail'
      • file.parse_eml(.).sender.email.domain.root_domain not in $high_trust_sender_root_domains
    • not:
      • file.parse_eml(.).sender.email.domain.root_domain in $org_domains
  3. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • any of distinct(headers.hops) where:
        • .authentication_results.dmarc matches '*fail'
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  4. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  5. not:
    • profile.by_sender().any_messages_benign

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, headers.hops, headers.hops[].authentication_results.dmarc, sender.email.domain.root_domain, type.inbound. Sensors: file.parse_eml, profile.by_sender, regex.contains, regex.imatch, strings.ilike, strings.like. Reference lists: $high_trust_sender_root_domains, $org_domains, $recipient_emails.

Indicators matched (10)

FieldMatchValue
attachments[].file_typeequalsunknown
attachments[].content_typeequalsmessage/rfc822
attachments[].file_extensionmembereml
regex.containsregex(shared.{0,30}with you|View Document)
strings.likesubstring*postmaster*
strings.likesubstring*mailer-daemon*
strings.likesubstring*administrator*
regex.imatchregex(undeliverable|read:).*
file.parse_eml(attachments[]).attachments[].content_typeequalsmessage/delivery-status
strings.ilikesubstring*fail