Detection rules › Sublime MQL
Investor solicitation with organization targeting
Detects messages targeting organizations with investment solicitations that specifically reference the recipient's organization by extracting the organization name and matching it to the recipient's email domain.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
// subject contains recipient's org name
any(recipients.to,
strings.icontains(subject.subject, .email.domain.sld)
and regex.imatch(.email.domain.sld, '.{2,}')
)
or
// body extracts org name matching recipient domain
any(regex.extract(body.current_thread.text,
'(?P<org>[a-zA-Z]{2,20})\s(?:recently\s)?came to our attention'
),
any(recipients.to,
strings.icontains(.email.domain.domain, ..named_groups["org"])
)
)
)
and any(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
)
// greeting uses recipient's email local_part
and any(recipients.to,
(
strings.icontains(body.current_thread.text,
strings.concat("Dear ", .email.local_part)
)
or any(regex.extract(.email.local_part, '^(?P<first>[^._]+)'),
strings.icontains(body.current_thread.text,
strings.concat("Dear ",
.named_groups["first"]
)
)
)
)
)
// financial/investment cold outreach language
and (
2 of (
strings.icontains(body.current_thread.text, "alternative investments"),
strings.icontains(body.current_thread.text, "raising capital"),
strings.icontains(body.current_thread.text, "came to our attention"),
strings.icontains(body.current_thread.text, "private markets"),
strings.icontains(body.current_thread.text, "fundraising"),
strings.icontains(body.current_thread.text, "investment opportunities"),
strings.icontains(body.current_thread.text, "introductory"),
strings.icontains(body.current_thread.text, "commitment size"),
strings.icontains(body.current_thread.text, "ultra-high-net-worth"),
strings.icontains(body.current_thread.text, "deployed capital"),
strings.icontains(body.current_thread.text, "value creation"),
strings.icontains(body.current_thread.text, "capital planning")
)
or (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Financial Communications"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Out of Band Pivot"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "B2B Cold Outreach"
)
)
)
Detection logic
Scope: inbound message.
Detects messages targeting organizations with investment solicitations that specifically reference the recipient's organization by extracting the organization name and matching it to the recipient's email domain.
- inbound message
any of:
any of
recipients.towhere all hold:- strings.icontains(subject.subject)
- .email.domain.sld matches '.{2,}'
any of
regex.extract(body.current_thread.text)where:any of
recipients.towhere:- strings.icontains(.email.domain.domain)
any of
headers.reply_towhere:- .email.domain.root_domain is not sender.email.domain.root_domain
any of
recipients.towhere any holds:- strings.icontains(body.current_thread.text)
any of
regex.extract(.email.local_part)where:- strings.icontains(body.current_thread.text)
any of:
at least 2 of 12: body.current_thread.text contains any of 12 patterns
alternative investmentsraising capitalcame to our attentionprivate marketsfundraisinginvestment opportunitiesintroductorycommitment sizeultra-high-net-worthdeployed capitalvalue creationcapital planning
all of:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name is 'Financial Communications'
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name is 'Out of Band Pivot'
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name is 'B2B Cold Outreach'
Inspects: body.current_thread.text, headers.reply_to, headers.reply_to[].email.domain.root_domain, recipients.to, recipients.to[].email.domain.domain, recipients.to[].email.domain.sld, recipients.to[].email.local_part, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.extract, regex.imatch, strings.concat, strings.icontains.
Indicators matched (18)
| Field | Match | Value |
|---|---|---|
regex.imatch | regex | .{2,} |
regex.extract | regex | (?P<org>[a-zA-Z]{2,20})\s(?:recently\s)?came to our attention |
regex.extract | regex | ^(?P<first>[^._]+) |
strings.icontains | substring | alternative investments |
strings.icontains | substring | raising capital |
strings.icontains | substring | came to our attention |
strings.icontains | substring | private markets |
strings.icontains | substring | fundraising |
strings.icontains | substring | investment opportunities |
strings.icontains | substring | introductory |
strings.icontains | substring | commitment size |
strings.icontains | substring | ultra-high-net-worth |
6 more
strings.icontains | substring | deployed capital |
strings.icontains | substring | value creation |
strings.icontains | substring | capital planning |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | Financial Communications |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | Out of Band Pivot |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | B2B Cold Outreach |