detection.wiki

Detection rules › Sublime MQL

Honorific greeting BEC attempt with sender and reply-to mismatch

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesFree email provider, Social engineering

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.auth_summary
headers.reply_to (collection)
sender.email
type

Rule body MQL

type.inbound
// mismatched sender (From) and Reply-to + freemail
and any(headers.reply_to,
        length(headers.reply_to) > 0
        and all(headers.reply_to,
                .email.domain.root_domain != sender.email.domain.root_domain
                and .email.domain.root_domain in $free_email_providers
        )
)

// use of honorific
and regex.icontains(body.current_thread.text,
                    '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
)

// BEC-themed language
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name in ("bec", "advance_fee")
  )
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "request"
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.

  1. inbound message
  2. any of headers.reply_to where all hold:
    • length(headers.reply_to) > 0
    • all of headers.reply_to where all hold:
      • .email.domain.root_domain is not sender.email.domain.root_domain
      • .email.domain.root_domain in $free_email_providers
  3. body.current_thread.text matches '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\\.?[ \\t]+'
  4. all of:
    • any of ml.nlu_classifier(body.current_thread.text).intents where:
      • .name in ('bec', 'advance_fee')
    • any of ml.nlu_classifier(body.current_thread.text).entities where:
      • .name is 'request'
  5. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  6. any of:
    • all of:
      • profile.by_sender().prevalence in ('new', 'outlier')
      • not:
        • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  7. not:
    • profile.by_sender().any_messages_benign

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.reply_to, headers.reply_to[].email.domain.root_domain, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, regex.icontains. Reference lists: $free_email_providers, $high_trust_sender_root_domains.

Indicators matched (4)

FieldMatchValue
regex.icontainsregex(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+
ml.nlu_classifier(body.current_thread.text).intents[].namememberbec
ml.nlu_classifier(body.current_thread.text).intents[].namememberadvance_fee
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsrequest