Detection rules › Sublime MQL
Brand impersonation: McAfee
Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, BEC/Fraud, Callback Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| headers.auth_summary |
| sender |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and (
regex.icontains(body.current_thread.text,
'McAfee.{0,30}(?:Defense|Protection)'
)
or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
or regex.icontains(sender.display_name,
'^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,])'
)
or (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("org", "sender") and strings.icontains(.text, 'mcafee')
)
and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
) >= 2
)
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Newsletters and Digests", "Advertising and Promotions")
and .confidence != "low"
)
and not (
sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
and headers.auth_summary.dmarc.pass
)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and headers.auth_summary.dmarc.pass
)
Detection logic
Scope: inbound message.
Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication.
- inbound message
any of:
- body.current_thread.text matches 'McAfee.{0,30}(?:Defense|Protection)'
- subject.base matches 'McAfee.{0,30}(?:Defense|Protection)'
- sender.display_name matches '^[\\s[:punct:]]*mc\\s*a+f+ee+(?:$|[^,])'
all of:
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name in ('org', 'sender')
- .text contains 'mcafee'
- length(filter(ml.nlu_classifier(body.current_thread.text).entities, .name == 'urgency')) ≥ 2
not:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name in ('Newsletters and Digests', 'Advertising and Promotions')
- .confidence is not 'low'
not:
all of:
- sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
- headers.auth_summary.dmarc.pass
not:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- headers.auth_summary.dmarc.pass
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.icontains. Reference lists: $high_trust_sender_root_domains.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | McAfee.{0,30}(?:Defense|Protection) |
regex.icontains | regex | ^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,]) |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | org |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | sender |
strings.icontains | substring | mcafee |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | urgency |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Newsletters and Digests |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Advertising and Promotions |
sender.email.domain.root_domain | member | mcafee.com |
sender.email.domain.root_domain | member | mcafeesecure.com |