Detection rules › Sublime MQL
Credential theft with 'safe content' deception and social engineering topics
Detects messages containing credential theft language combined with social engineering topics like secure messages, notifications, or authentication alerts. The rule specifically identifies emails that deceptively claim to be from a 'safe sender' or contain 'safe content' in the first line, which is a common tactic used to bypass security filters and gain user trust.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Evasion |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| type |
Rule body MQL
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Reminders and Notifications",
"Secure Message",
"Security and Authentication",
"Voicemail Call and Missed Call Notifications",
"E-Signature",
"Financial Communications"
)
)
or (
length(distinct(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name not in ("org", "recipient", "sender")
),
.name
)
) > 0
and all(distinct(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name not in ("org", "recipient", "sender")
),
.name
),
.name in ("request", "financial", "urgency")
)
)
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Advertising and Promotions",
"Newsletters and Digests",
"News and Current Events",
"Travel and Transportation"
)
)
// check only the first line of the email
and any(regex.iextract(body.current_thread.text, "^[^\r\n]*"),
length(.full_match) < 500
and strings.ilike(strings.replace_confusables(.full_match),
"*safe content*",
"*safe sender*",
"*trusted sender*"
)
and not regex.icontains(.full_match,
"add.{0,50} to.{0,50}(address book|safe senders? list)"
)
)
Detection logic
Scope: inbound message.
Detects messages containing credential theft language combined with social engineering topics like secure messages, notifications, or authentication alerts. The rule specifically identifies emails that deceptively claim to be from a 'safe sender' or contain 'safe content' in the first line, which is a common tactic used to bypass security filters and gain user trust.
- inbound message
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is not 'low'
any of:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name in ('Reminders and Notifications', 'Secure Message', 'Security and Authentication', 'Voicemail Call and Missed Call Notifications', 'E-Signature', 'Financial Communications')
all of:
- length(distinct(filter(ml.nlu_classifier(body.current_thread.text).entities, .name not in ('org', 'recipient', 'sender')), .name)) > 0
all of
distinct(...)where:- .name in ('request', 'financial', 'urgency')
not:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name in ('Advertising and Promotions', 'Newsletters and Digests', 'News and Current Events', 'Travel and Transportation')
any of
regex.iextract(body.current_thread.text)where all hold:- length(.full_match) < 500
strings.replace_confusables(.full_match) matches any of 3 patterns
*safe content**safe sender**trusted sender*
not:
- .full_match matches 'add.{0,50} to.{0,50}(address book|safe senders? list)'
Inspects: body.current_thread.text, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, regex.iextract, strings.ilike, strings.replace_confusables.
Indicators matched (22)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Reminders and Notifications |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Secure Message |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Security and Authentication |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Voicemail Call and Missed Call Notifications |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | E-Signature |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Financial Communications |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | org |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | recipient |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | sender |
distinct(...)[].name | member | request |
distinct(...)[].name | member | financial |
10 more
distinct(...)[].name | member | urgency |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Advertising and Promotions |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Newsletters and Digests |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | News and Current Events |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Travel and Transportation |
regex.iextract | regex | ^[^\r\n]* |
strings.ilike | substring | *safe content* |
strings.ilike | substring | *safe sender* |
strings.ilike | substring | *trusted sender* |
regex.icontains | regex | add.{0,50} to.{0,50}(address book|safe senders? list) |