Detection rules › Sublime MQL
Credential phishing: Financial lure via ActiveCampaign infrastructure
Detects inbound phishing messages sent via ActiveCampaign using identifiable infrastructure fingerprints and hidden boilerplate text. Covers a wide range of lure themes including credit cards, loans, deposits, account updates, and vague document or verification prompts. Requires NLU Financial Communications topic classification.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
and strings.contains(headers.mailer, "ActiveCampaign")
and (
strings.ilike(body.current_thread.text,
"*Piratini*",
"*45.405.898/0001-16*",
"*Cancelar inscri*",
"*Matem?tica Genial*"
)
or strings.ilike(body.html.raw,
"*belonging to Spun*",
"*affiliated with Spun*"
)
)
and (
length(html.xpath(body.html,
'//*[contains(@style, "background") and contains(@style, "padding")] | //a[contains(@class, "es-button")]'
).nodes
) > 0
or length(html.xpath(body.html, '//a/img').nodes) > 0
)
and ml.nlu_classifier(body.current_thread.text).language == "english"
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Health and Wellness", "Entertainment and Sports")
and .confidence == "high"
)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Detection logic
Scope: inbound message.
Detects inbound phishing messages sent via ActiveCampaign using identifiable infrastructure fingerprints and hidden boilerplate text. Covers a wide range of lure themes including credit cards, loans, deposits, account updates, and vague document or verification prompts. Requires NLU Financial Communications topic classification.
- inbound message
- headers.mailer contains 'ActiveCampaign'
any of:
body.current_thread.text matches any of 4 patterns
*Piratini**45.405.898/0001-16**Cancelar inscri**Matem?tica Genial*
body.html.raw matches any of 2 patterns
*belonging to Spun**affiliated with Spun*
any of:
- length(html.xpath(body.html, '//*[contains(@style, "background") and contains(@style, "padding")] | //a[contains(@class, "es-button")]').nodes) > 0
- length(html.xpath(body.html, '//a/img').nodes) > 0
- ml.nlu_classifier(body.current_thread.text).language is 'english'
not:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name in ('Health and Wellness', 'Entertainment and Sports')
- .confidence is 'high'
not:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- coalesce(headers.auth_summary.dmarc.pass)
Inspects: body.current_thread.text, body.html, body.html.raw, headers.auth_summary.dmarc.pass, headers.mailer, sender.email.domain.root_domain, type.inbound. Sensors: html.xpath, ml.nlu_classifier, strings.contains, strings.ilike. Reference lists: $high_trust_sender_root_domains.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
strings.contains | substring | ActiveCampaign |
strings.ilike | substring | *Piratini* |
strings.ilike | substring | *45.405.898/0001-16* |
strings.ilike | substring | *Cancelar inscri* |
strings.ilike | substring | *Matem?tica Genial* |
strings.ilike | substring | *belonging to Spun* |
strings.ilike | substring | *affiliated with Spun* |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Health and Wellness |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Entertainment and Sports |
ml.nlu_classifier(body.current_thread.text).topics[].confidence | equals | high |