Detection rules › Sublime MQL
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Callback Phishing, Spam |
| Tactics and techniques | Impersonation: Brand, Social engineering, Free email provider |
Event coverage
Rule body MQL
type.inbound
and 3 of (
// urgent subjects
strings.ilike(subject.subject, '*quick question*'),
strings.ilike(subject.subject, '*urgent*request*'),
strings.ilike(subject.subject, '*are you available*'),
strings.ilike(subject.subject, '*need assistance*'),
strings.ilike(subject.subject, '*help*needed*'),
regex.icontains(subject.subject, 'favor\b'),
strings.ilike(subject.subject, '*checking in*'),
strings.ilike(subject.subject, '*awaiting*response*'),
strings.ilike(subject.subject, '*catch*up*'),
// BEC body patterns
strings.ilike(body.current_thread.text, '*sorry to bother*'),
strings.ilike(body.current_thread.text, '*are you busy*'),
strings.ilike(body.current_thread.text, '*can you help*'),
strings.ilike(body.current_thread.text, '*do you have a moment*'),
strings.ilike(body.current_thread.text, '*please respond*asap*'),
strings.ilike(subject.subject, '*quick question*'),
// brand name
regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?[o0]\s?n'), // Catches "Amaz on", "Amazon", etc.
regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),
// short body
length(body.current_thread.text) < 200,
strings.count(body.current_thread.text, ' ') < 30
)
and 3 of (
// suspicious sender
sender.email.domain.root_domain in $free_email_providers,
network.whois(sender.email.domain).days_old < 30,
// suspicious recipient pattern
any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
length(recipients.to) <= 1, // Single or 0 recipients
// header checks
strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
// deifferent reply-to address
(
length(headers.reply_to) > 0
and sender.email.email not in map(headers.reply_to, .email.email)
),
// sender display name is part of the subject
strings.icontains(subject.subject, sender.display_name),
)
and profile.by_sender_email().prevalence not in ("common")
Detection logic
Scope: inbound message.
Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.
- inbound message
at least 3 of:
- subject.subject matches '*quick question*'
- subject.subject matches '*urgent*request*'
- subject.subject matches '*are you available*'
- subject.subject matches '*need assistance*'
- subject.subject matches '*help*needed*'
- subject.subject matches 'favor\\b'
- subject.subject matches '*checking in*'
- subject.subject matches '*awaiting*response*'
- subject.subject matches '*catch*up*'
- body.current_thread.text matches '*sorry to bother*'
- body.current_thread.text matches '*are you busy*'
- body.current_thread.text matches '*can you help*'
- body.current_thread.text matches '*do you have a moment*'
- body.current_thread.text matches '*please respond*asap*'
- subject.subject matches '*quick question*'
- body.current_thread.text matches 'a\\s?m\\s?a\\s?z\\s?[o0]\\s?n'
- body.current_thread.text matches 'p\\s?a\\s?y\\s?p\\s?a\\s?l'
- body.current_thread.text matches 'a\\s?p\\s?p\\s?l\\s?e'
- length(body.current_thread.text) < 200
- strings.count(body.current_thread.text, ' ') < 30
at least 3 of:
- sender.email.domain.root_domain in $free_email_providers
- network.whois(sender.email.domain).days_old < 30
any of
recipients.towhere:- .display_name matches 'undisclosed?recipients'
- length(recipients.to) ≤ 1
- headers.mailer starts with 'Open-Xchange Mailer'
- headers.x_originating_ip.ip matches '*.*.*.0'
all of:
- length(headers.reply_to) > 0
- sender.email.email not in map(headers.reply_to, .email.email)
- strings.icontains(subject.subject)
- profile.by_sender_email().prevalence not in ('common')
Inspects: body.current_thread.text, headers.mailer, headers.reply_to, headers.reply_to[].email.email, headers.x_originating_ip.ip, recipients.to, recipients.to[].display_name, sender.display_name, sender.email.domain, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: network.whois, profile.by_sender_email, regex.icontains, strings.count, strings.icontains, strings.ilike, strings.starts_with. Reference lists: $free_email_providers.
Indicators matched (20)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *quick question* |
strings.ilike | substring | *urgent*request* |
strings.ilike | substring | *are you available* |
strings.ilike | substring | *need assistance* |
strings.ilike | substring | *help*needed* |
regex.icontains | regex | favor\b |
strings.ilike | substring | *checking in* |
strings.ilike | substring | *awaiting*response* |
strings.ilike | substring | *catch*up* |
strings.ilike | substring | *sorry to bother* |
strings.ilike | substring | *are you busy* |
strings.ilike | substring | *can you help* |
8 more
strings.ilike | substring | *do you have a moment* |
strings.ilike | substring | *please respond*asap* |
regex.icontains | regex | a\s?m\s?a\s?z\s?[o0]\s?n |
regex.icontains | regex | p\s?a\s?y\s?p\s?a\s?l |
regex.icontains | regex | a\s?p\s?p\s?l\s?e |
strings.ilike | substring | undisclosed?recipients |
strings.starts_with | prefix | Open-Xchange Mailer |
strings.ilike | substring | *.*.*.0 |