Detection rules › Sublime MQL
Attachment: RTF file with suspicious link
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| recipients |
| recipients.to (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rtf"
)
and any(file.explode(.),
.flavors.mime == 'text/rtf'
and any(.scan.url.urls,
.domain.valid
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and (
(
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
or (
.domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_subdomain_hosts
or .domain.root_domain in $url_shorteners
or .domain.root_domain in $social_landing_hosts
)
// or the url contains the recipient email and the root_domain is not in tranco
or (
any(recipients.to,
strings.icontains(..url, .email.email)
)
and (
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
)
)
)
)
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
- inbound message
any of
attachmentswhere all hold:any of:
- .file_extension in $file_extensions_common_archives
- .file_type is 'rtf'
any of
file.explode(.)where all hold:- .flavors.mime is 'text/rtf'
any of
.scan.url.urlswhere all hold:- .domain.valid
- .domain.subdomain is set
none of:
- .url ends with 'jpeg'
- .url ends with 'png'
any of:
all of:
- .domain.root_domain not in $tranco_1m
- .domain.root_domain not in $umbrella_1m
any of:
- .domain.root_domain in $free_file_hosts
- .domain.root_domain in $free_file_hosts
- .domain.root_domain in $free_subdomain_hosts
- .domain.root_domain in $url_shorteners
- .domain.root_domain in $social_landing_hosts
all of:
any of
recipients.towhere:- strings.icontains(.url)
all of:
- .domain.root_domain not in $tranco_1m
- .domain.root_domain not in $umbrella_1m
not:
- profile.by_sender().solicited
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].file_extension, attachments[].file_type, recipients.to, recipients.to[].email.email, type.inbound. Sensors: file.explode, profile.by_sender, strings.ends_with, strings.icontains. Reference lists: $file_extensions_common_archives, $free_file_hosts, $free_subdomain_hosts, $social_landing_hosts, $tranco_1m, $umbrella_1m, $url_shorteners.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | rtf |
file.explode(attachments[])[].flavors.mime | equals | text/rtf |
strings.ends_with | suffix | jpeg |
strings.ends_with | suffix | png |