Detection rules › Sublime MQL
COVID-19 themed fraud with sender and reply-to mismatch or compensation award
Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud |
| Tactics and techniques | Free email provider, Social engineering |
Event coverage
Rule body MQL
type.inbound
// mismatched sender (From) and Reply-to + freemail
and any(headers.reply_to,
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
and .email.domain.root_domain in $free_email_providers
)
)
// use of honorific
and regex.icontains(body.current_thread.text,
'(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+',
'Dear Sir'
)
// mention of covid or an international organization
and regex.icontains(body.current_thread.text,
'international (court of justice|monetary fund)',
'united nations',
'western union',
'world bank',
'world health organization',
'interpol',
'treasury',
'\bFEMA\b',
'\bIMF\b'
)
// and mention of covid in subject or body
and (
regex.icontains(subject.subject, 'covid(.{0,5}19)?\b')
or regex.icontains(body.current_thread.text, 'covid(.{0,5}19)?\b')
)
// Check for compensation or award related language
and (
2 of (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
),
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
)
or regex.icontains(subject.subject,
'compensation.{0,20}(award|fund)',
'covid.{0,20}(compensation|award)',
'selected.{0,30}(compensation|award)',
'claim your award',
'reference no'
)
or regex.icontains(body.current_thread.text,
'compensation.{0,20}(award|fund)',
'covid.{0,20}(compensation|award)',
'selected.{0,30}(compensation|award)',
'claim your award',
'reference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b'
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
- inbound message
any of
headers.reply_towhere all hold:- length(headers.reply_to) > 0
all of
headers.reply_towhere all hold:- .email.domain.root_domain is not sender.email.domain.root_domain
- .email.domain.root_domain in $free_email_providers
body.current_thread.text matches any of 2 patterns
(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+Dear Sir
body.current_thread.text matches any of 9 patterns
international (court of justice|monetary fund)united nationswestern unionworld bankworld health organizationinterpoltreasury\bFEMA\b\bIMF\b
any of:
- subject.subject matches 'covid(.{0,5}19)?\\b'
- body.current_thread.text matches 'covid(.{0,5}19)?\\b'
any of:
at least 2 of:
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'urgency'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'request'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'financial'
subject.subject matches any of 5 patterns
compensation.{0,20}(award|fund)covid.{0,20}(compensation|award)selected.{0,30}(compensation|award)claim your awardreference no
body.current_thread.text matches any of 5 patterns
compensation.{0,20}(award|fund)covid.{0,20}(compensation|award)selected.{0,30}(compensation|award)claim your awardreference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.reply_to, headers.reply_to[].email.domain.root_domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.icontains. Reference lists: $free_email_providers, $high_trust_sender_root_domains.
Indicators matched (21)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | (?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+ |
regex.icontains | regex | Dear Sir |
regex.icontains | regex | international (court of justice|monetary fund) |
regex.icontains | regex | united nations |
regex.icontains | regex | western union |
regex.icontains | regex | world bank |
regex.icontains | regex | world health organization |
regex.icontains | regex | interpol |
regex.icontains | regex | treasury |
regex.icontains | regex | \bFEMA\b |
regex.icontains | regex | \bIMF\b |
regex.icontains | regex | covid(.{0,5}19)?\b |
9 more
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | urgency |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | request |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | financial |
regex.icontains | regex | compensation.{0,20}(award|fund) |
regex.icontains | regex | covid.{0,20}(compensation|award) |
regex.icontains | regex | selected.{0,30}(compensation|award) |
regex.icontains | regex | claim your award |
regex.icontains | regex | reference no |
regex.icontains | regex | reference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b |