detection.wiki

Detection rules › Sublime MQL

Credential phishing: Fake card notification with tracking lure

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesSocial engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers.auth_summary
sender.email
subject
type

Rule body MQL

type.inbound
and (
  (
    regex.icontains(subject.base, '\bcard\b')
    or regex.icontains(body.current_thread.text, '\bcard\b')
  )
  and strings.ilike(body.current_thread.text,
                    "*could be with you*",
                    "*currently accessible*",
                    "*collect bank details*",
                    "*not a financial institution*"
  )
)
and any(body.links,
        strings.ilike(.display_text,
                      "*track order*",
                      "*track*card*",
                      "*card status*"
        )
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Detection logic

Scope: inbound message.

Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links.

  1. inbound message
  2. all of:
    • any of:
      • subject.base matches '\\bcard\\b'
      • body.current_thread.text matches '\\bcard\\b'
    • body.current_thread.text matches any of 4 patterns
      • *could be with you*
      • *currently accessible*
      • *collect bank details*
      • *not a financial institution*
  3. any of body.links where:
    • .display_text matches any of 3 patterns
      • *track order*
      • *track*card*
      • *card status*
  4. any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    • .name is 'cred_theft'
    • .confidence is 'high'
  5. not:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • coalesce(headers.auth_summary.dmarc.pass)

Inspects: body.current_thread.text, body.links, body.links[].display_text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.ilike. Reference lists: $high_trust_sender_root_domains.

Indicators matched (10)

FieldMatchValue
regex.icontainsregex\bcard\b
strings.ilikesubstring*could be with you*
strings.ilikesubstring*currently accessible*
strings.ilikesubstring*collect bank details*
strings.ilikesubstring*not a financial institution*
strings.ilikesubstring*track order*
strings.ilikesubstring*track*card*
strings.ilikesubstring*card status*
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh