Detection rules › Sublime MQL
Brand impersonation: SiriusXM
Impersonation of the broadcasting corporation SiriusXM.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing, Credential Phishing, Spam |
| Tactics and techniques | Free email provider, Impersonation: Brand, Social engineering |
Event coverage
| Message attribute |
|---|
| headers.auth_summary |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
strings.ilike(sender.display_name, '*siriusxm*')
or strings.ilevenshtein(sender.display_name, 'siriusxm') <= 1
or strings.ilike(sender.email.domain.domain, '*siriusxm*')
)
and (
sender.email.domain.root_domain not in (
'siriusxm.com',
'siriusxmmedia.com',
'siriusxm.ca',
'engagement360.net', // SiriusXM survey vendor
'sciquest.com' // SiriusXM Procurement
)
or (
sender.email.domain.root_domain in (
'siriusxm.com',
'siriusxmmedia.com',
'siriusxm.ca',
'engagement360.net', // SiriusXM survey vendor
'sciquest.com' // SiriusXM Procurement
)
and not headers.auth_summary.dmarc.pass
)
)
and not profile.by_sender().solicited
Detection logic
Scope: inbound message.
Impersonation of the broadcasting corporation SiriusXM.
- inbound message
any of:
- sender.display_name matches '*siriusxm*'
- sender.display_name is similar to 'siriusxm'
- sender.email.domain.domain matches '*siriusxm*'
any of:
- sender.email.domain.root_domain not in ('siriusxm.com', 'siriusxmmedia.com', 'siriusxm.ca', 'engagement360.net', 'sciquest.com')
all of:
- sender.email.domain.root_domain in ('siriusxm.com', 'siriusxmmedia.com', 'siriusxm.ca', 'engagement360.net', 'sciquest.com')
not:
- headers.auth_summary.dmarc.pass
not:
- profile.by_sender().solicited
Inspects: headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.ilevenshtein, strings.ilike.
Indicators matched (7)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *siriusxm* |
strings.ilevenshtein | fuzzy | siriusxm |
sender.email.domain.root_domain | member | siriusxm.com |
sender.email.domain.root_domain | member | siriusxmmedia.com |
sender.email.domain.root_domain | member | siriusxm.ca |
sender.email.domain.root_domain | member | engagement360.net |
sender.email.domain.root_domain | member | sciquest.com |