Detection rules › Sublime MQL
Brand impersonation: Survey request with credential theft indicators
Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Impersonation: Brand, Spoofing |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == 'AAA'
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request" and strings.icontains(.text, 'Claim Your Free Kit')
)
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Advertising and Promotions" and .confidence != "low"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("request", "org") and strings.icontains(.text, "survey")
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains.
- inbound message
any of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is 'high'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name is 'org'
- .text is 'AAA'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name is 'request'
- .text contains 'Claim Your Free Kit'
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name is 'Advertising and Promotions'
- .confidence is not 'low'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name in ('request', 'org')
- .text contains 'survey'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, strings.icontains. Reference lists: $high_trust_sender_root_domains.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | org |
ml.nlu_classifier(body.current_thread.text).entities[].text | equals | AAA |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | request |
strings.icontains | substring | Claim Your Free Kit |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | Advertising and Promotions |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | request |
ml.nlu_classifier(body.current_thread.text).entities[].name | member | org |
strings.icontains | substring | survey |