Detection rules › Sublime MQL
Body: Suspicious date format
Detects messages containing strage date formats observed in phishing emails.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Spoofing, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| type |
Rule body MQL
type.inbound
and regex.icontains(body.current_thread.text,
'Date:\s(?:Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday)\s(?:January|February|March|April|May|June|July|August|September|October|November|December)\s202(?:5|6|7|8|9)'
)
Detection logic
Scope: inbound message.
Detects messages containing strage date formats observed in phishing emails.
- inbound message
- body.current_thread.text matches 'Date:\\s(?:Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday)\\s(?:January|February|March|April|May|June|July|August|September|October|November|December)\\s202(?:5|6|7|8|9)'
Inspects: body.current_thread.text, type.inbound. Sensors: regex.icontains.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | Date:\s(?:Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday)\s(?:January|February|March|April|May|June|July|August|September|October|November|December)\s202(?:5|6|7|8|9) |