detection.wiki

Detection rules › Sublime MQL

BEC/Fraud: Scam lure with freemail pivot

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesFree email provider, Out of band pivot

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
recipients
recipients.to (collection)
sender.email
type

Rule body MQL

type.inbound

// body is short
and length(body.current_thread.text) < 800

// one recipient
and length(recipients.to) == 1

// all recipients are the sender
and all(recipients.to,
        .email.email == sender.email.email
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
)

// not an org domain
and all(recipients.to,
        .email.domain.root_domain not in $org_domains
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
)

// one link
and length(body.links) == 1

// links don't match sender
and all(body.links,
        .href_url.domain.root_domain != sender.email.domain.root_domain
)

// scam indicators
and regex.icontains(body.current_thread.text,
                    '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
)

// body contains an email address to a freemail provider
and (
  regex.contains(body.current_thread.text,
                 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
  )
  and any($free_email_providers, strings.icontains(body.current_thread.text, .))
)

Detection logic

Scope: inbound message.

This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.

  1. inbound message
  2. length(body.current_thread.text) < 800
  3. length(recipients.to) is 1
  4. all of recipients.to where all hold:
    • .email.email is sender.email.email
    • any of:
      • .email.domain.valid
      • .display_name contains 'undisclosed'
  5. all of recipients.to where all hold:
    • .email.domain.root_domain not in $org_domains
    • any of:
      • .email.domain.valid
      • .display_name contains 'undisclosed'
  6. length(body.links) is 1
  7. all of body.links where:
    • .href_url.domain.root_domain is not sender.email.domain.root_domain
  8. body.current_thread.text matches '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\\.?[ \\t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
  9. all of:
    • body.current_thread.text matches '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\\\.[A-Za-z]{2,}'
    • any of $free_email_providers where:
      • strings.icontains(body.current_thread.text)

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, recipients.to, recipients.to[].display_name, recipients.to[].email.domain.root_domain, recipients.to[].email.domain.valid, recipients.to[].email.email, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: regex.contains, regex.icontains, strings.icontains. Reference lists: $free_email_providers, $org_domains.

Indicators matched (3)

FieldMatchValue
strings.icontainssubstringundisclosed
regex.icontainsregex((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)
regex.containsregex[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}