Detection rules › Sublime MQL
Service Abuse: Nifty.com with impersonation
Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Spoofing |
Event coverage
Rule body MQL
type.inbound
and sender.email.domain.root_domain == "nifty.com"
and (
sender.email.local_part in map(recipients.to, .email.local_part)
or sender.email.local_part in $org_slds
)
and ml.nlu_classifier(body.current_thread.text).language != "japanese"
// and no false positives and not solicited
and not profile.by_sender_email().any_messages_benign
Detection logic
Scope: inbound message.
Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns
- inbound message
- sender.email.domain.root_domain is 'nifty.com'
any of:
- sender.email.local_part in map(recipients.to, .email.local_part)
- sender.email.local_part in $org_slds
- ml.nlu_classifier(body.current_thread.text).language is not 'japanese'
not:
- profile.by_sender_email().any_messages_benign
Inspects: body.current_thread.text, recipients.to, recipients.to[].email.local_part, sender.email.domain.root_domain, sender.email.local_part, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender_email. Reference lists: $org_slds.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | equals | nifty.com |