detection.wiki

Detection rules › Sublime MQL

Attachment: Encrypted zip file with payment-related lure

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Malware/Ransomware
Tactics and techniquesEncryption, Evasion, Social engineering

Event coverage

Message attribute
attachments (collection)
body.current_thread
subject
type

Rule body MQL

type.inbound
and length(attachments) > 0
// 3 instances of zip/encrypted/payment information
and 3 of (
  regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'),
  regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'),
  regex.icontains(body.current_thread.text,
                  'password.{1,5}is.{1,5}[A-Z0-9]{8,}'
  ),
  regex.icontains(body.current_thread.text,
                  'details.{1,20}payment.{1,30}attach'
  ),
  strings.icontains(subject.subject, "you have received"),
  strings.icontains(subject.subject, "new debit"),
  strings.icontains(subject.subject, "payment confirmation"),
  strings.icontains(subject.subject, "invoice attached")
)
and (
  // one attachment included and the file is a zip
  attachments[0].file_extension == "zip"
  and (
    regex.icontains(attachments[0].file_name,
                    'payment|invoice|receipt|document|bank'
    )
    // long uppercase passwords
    or regex.contains(body.current_thread.text, '[A-Z]{10,}')
  )
)

Detection logic

Scope: inbound message.

Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction.

  1. inbound message
  2. length(attachments) > 0
  3. at least 3 of:
    • body.current_thread.text matches 'zip file.{1,50}encrypted'
    • body.current_thread.text matches 'attachment.{1,30}encrypted'
    • body.current_thread.text matches 'password.{1,5}is.{1,5}[A-Z0-9]{8,}'
    • body.current_thread.text matches 'details.{1,20}payment.{1,30}attach'
    • subject.subject contains 'you have received'
    • subject.subject contains 'new debit'
    • subject.subject contains 'payment confirmation'
    • subject.subject contains 'invoice attached'
  4. all of:
    • attachments[0].file_extension is 'zip'
    • any of:
      • attachments[0].file_name matches 'payment|invoice|receipt|document|bank'
      • body.current_thread.text matches '[A-Z]{10,}'

Inspects: attachments[0].file_extension, attachments[0].file_name, body.current_thread.text, subject.subject, type.inbound. Sensors: regex.contains, regex.icontains, strings.icontains.

Indicators matched (11)

FieldMatchValue
regex.icontainsregexzip file.{1,50}encrypted
regex.icontainsregexattachment.{1,30}encrypted
regex.icontainsregexpassword.{1,5}is.{1,5}[A-Z0-9]{8,}
regex.icontainsregexdetails.{1,20}payment.{1,30}attach
strings.icontainssubstringyou have received
strings.icontainssubstringnew debit
strings.icontainssubstringpayment confirmation
strings.icontainssubstringinvoice attached
attachments[0].file_extensionequalszip
regex.icontainsregexpayment|invoice|receipt|document|bank
regex.containsregex[A-Z]{10,}