detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Automobile assistance associations

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages impersonating automobile associations (AAA, CAA, RAC, etc.) offering vehicle emergency kits or roadside assistance services from untrusted senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
body.current_thread
headers.auth_summary
sender.email
subject
type

Rule body MQL

type.inbound
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "org"
      and .text in~ (
        'AAA', // American Automobile Assoc.
        'RAC', // UK Royal Automobile Club
        'RAA', // Australia Royal Automotive Assoc.
        'CAA', // Canadian Automobile Assoc.
        'BCAA', // BC Automobile Assoc.
        'AMA', // Alberta Motor Assoc.
      )
  )
)
and regex.icontains(body.current_thread.text,
                    '(?:car|vehicle|motor|driver|emergency|road.?side|break.?down|assist|save|discount|complimentary|free\b).{0,10}kit'
)
// and the sender is not from high trust sender root domains
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
// negate newsletters and quarantine notifications
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in ("Newsletters and Digests") and .confidence != "low"
  )
  or strings.icontains(subject.subject, "quarantine")
)

Detection logic

Scope: inbound message.

Detects messages impersonating automobile associations (AAA, CAA, RAC, etc.) offering vehicle emergency kits or roadside assistance services from untrusted senders.

  1. inbound message
  2. any of ml.nlu_classifier(body.current_thread.text).entities where all hold:
    • .name is 'org'
    • .text in ('AAA', 'RAC', 'RAA', 'CAA', 'BCAA', 'AMA')
  3. body.current_thread.text matches '(?:car|vehicle|motor|driver|emergency|road.?side|break.?down|assist|save|discount|complimentary|free\\b).{0,10}kit'
  4. not:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • coalesce(headers.auth_summary.dmarc.pass)
  5. none of:
    • any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
      • .name in ('Newsletters and Digests')
      • .confidence is not 'low'
    • subject.subject contains 'quarantine'

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.icontains. Reference lists: $high_trust_sender_root_domains.

Indicators matched (10)

FieldMatchValue
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsorg
ml.nlu_classifier(body.current_thread.text).entities[].textmemberAAA
ml.nlu_classifier(body.current_thread.text).entities[].textmemberRAC
ml.nlu_classifier(body.current_thread.text).entities[].textmemberRAA
ml.nlu_classifier(body.current_thread.text).entities[].textmemberCAA
ml.nlu_classifier(body.current_thread.text).entities[].textmemberBCAA
ml.nlu_classifier(body.current_thread.text).entities[].textmemberAMA
regex.icontainsregex(?:car|vehicle|motor|driver|emergency|road.?side|break.?down|assist|save|discount|complimentary|free\b).{0,10}kit
ml.nlu_classifier(body.current_thread.text).topics[].namememberNewsletters and Digests
strings.icontainssubstringquarantine