detection.wiki

Detection rules › Sublime MQL

Business Email Compromise (BEC) attempt from untrusted sender

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesSocial engineering

Event coverage

Message attribute
attachments (collection)
body.current_thread
headers (collection)
headers.auth_summary
sender.email
subject
type

Rule body MQL

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("bec") and .confidence == "high"
)
// negating legit replies
and not (
  (
    (
      subject.is_reply
      or subject.is_forward
      // out of office auto-reply
      // the NLU model will handle these better natively soon
      or strings.istarts_with(subject.subject, "Automatic reply:")
    )
    and (length(headers.references) > 0 or headers.in_reply_to is not null)
  )
  or (
    // calendar invite responses
    regex.icontains(subject.base,
                    '(?:Accepted|Declined|New Time Proposed|Tentative):'
    )
    and any(attachments, .content_type == "text/calendar")
    and profile.by_sender_email().solicited
  )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.

  1. inbound message
  2. any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    • .name in ('bec')
    • .confidence is 'high'
  3. none of:
    • all of:
      • any of:
        • subject.is_reply
        • subject.is_forward
        • subject.subject starts with 'Automatic reply:'
      • any of:
        • length(headers.references) > 0
        • headers.in_reply_to is set
    • all of:
      • subject.base matches '(?:Accepted|Declined|New Time Proposed|Tentative):'
      • any of attachments where:
        • .content_type is 'text/calendar'
      • profile.by_sender_email().solicited
  4. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  5. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: attachments[].content_type, body.current_thread.text, headers.auth_summary.dmarc.pass, headers.in_reply_to, headers.references, sender.email.domain.root_domain, subject.base, subject.is_forward, subject.is_reply, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, profile.by_sender_email, regex.icontains, strings.istarts_with. Reference lists: $high_trust_sender_root_domains.

Indicators matched (5)

FieldMatchValue
ml.nlu_classifier(body.current_thread.text).intents[].namememberbec
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
strings.istarts_withprefixAutomatic reply:
regex.icontainsregex(?:Accepted|Declined|New Time Proposed|Tentative):
attachments[].content_typeequalstext/calendar