Detection rules › Sublime MQL
Credential phishing: Re-Authentication lure
Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Impersonation: Brand |
Event coverage
Rule body MQL
type.inbound
and length(body.current_thread.text) < 2000
and length(body.links) < 10
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or ml.nlu_classifier(body.current_thread.text).language != "english"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Security and Authentication" and .confidence == "high"
)
// email server language
and 3 of (
strings.icontains(body.current_thread.text, "security token"),
strings.icontains(body.current_thread.text, "still active"),
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
regex.icontains(body.current_thread.text, 're[- ]?activat(e|ing)'),
regex.contains(body.current_thread.text, '\bMX\b'),
strings.icontains(body.current_thread.text, "mail servers"),
strings.icontains(body.current_thread.text, "email termination"),
strings.icontains(body.current_thread.text, "locked out"),
strings.icontains(body.current_thread.text, "email account"),
strings.icontains(body.current_thread.text, "credential"),
strings.icontains(subject.base, "disconnection"),
any(recipients.to,
.email.domain.valid and strings.icontains(subject.base, .email.email)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat("dear ", .email.local_part)
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat(.email.domain.root_domain, " server")
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat(.email.domain.root_domain,
" server"
)
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat("attn: ", .email.local_part)
)
),
any(recipients.to,
.email.domain.valid
and strings.icount(body.current_thread.text, .email.email) > 1
)
)
// suspicious link
and 2 of (
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
regex.match(.display_text, '[A-Z ]+')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'update')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'confirm')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'resolve')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'auth')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain == "ru.com"
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.path == "/lt.php"
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.tld in $suspicious_tlds
),
any(recipients.to,
.email.domain.valid
and any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.href_url.url, ..email.email)
)
),
any(recipients.to,
.email.domain.valid
and any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, ..email.email)
)
),
(
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.domain in $free_file_hosts
)
or any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain in $free_file_hosts
)
),
(
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.domain in $free_subdomain_hosts
)
or any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain in $free_subdomain_hosts
)
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials.
- inbound message
- length(body.current_thread.text) < 2000
- length(body.links) < 10
any of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is 'high'
- ml.nlu_classifier(body.current_thread.text).language is not 'english'
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name is 'Security and Authentication'
- .confidence is 'high'
at least 3 of:
- body.current_thread.text contains 'security token'
- body.current_thread.text contains 'still active'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'urgency'
- body.current_thread.text matches 're[- ]?activat(e|ing)'
- body.current_thread.text matches '\\bMX\\b'
- body.current_thread.text contains 'mail servers'
- body.current_thread.text contains 'email termination'
- body.current_thread.text contains 'locked out'
- body.current_thread.text contains 'email account'
- body.current_thread.text contains 'credential'
- subject.base contains 'disconnection'
any of
recipients.towhere all hold:- .email.domain.valid
- strings.icontains(subject.base)
any of
recipients.towhere all hold:- .email.domain.valid
- strings.icontains(body.current_thread.text)
any of
recipients.towhere all hold:- .email.domain.valid
- strings.icontains(body.current_thread.text)
any of
recipients.towhere all hold:- .email.domain.valid
- strings.icontains(body.current_thread.text)
any of
recipients.towhere all hold:- .email.domain.valid
- strings.icontains(body.current_thread.text)
any of
recipients.towhere all hold:- .email.domain.valid
- strings.icount(body.current_thread.text) > 1
at least 2 of:
any of
filter(body.links)where:- .display_text matches '[A-Z ]+'
any of
filter(body.links)where:- .display_text contains 'update'
any of
filter(body.links)where:- .display_text contains 'confirm'
any of
filter(body.links)where:- .display_text contains 'resolve'
any of
filter(body.links)where:- .display_text contains 'auth'
any of
filter(body.links)where:- .href_url.domain.root_domain is 'ru.com'
any of
filter(body.links)where:- .href_url.path is '/lt.php'
any of
filter(body.links)where:- .href_url.domain.tld in $suspicious_tlds
any of
recipients.towhere all hold:- .email.domain.valid
any of
filter(body.links)where:- strings.icontains(.href_url.url)
any of
recipients.towhere all hold:- .email.domain.valid
any of
filter(body.links)where:- strings.icontains(.display_text)
any of:
any of
filter(body.links)where:- .href_url.domain.domain in $free_file_hosts
any of
filter(body.links)where:- .href_url.domain.root_domain in $free_file_hosts
any of:
any of
filter(body.links)where:- .href_url.domain.domain in $free_subdomain_hosts
any of
filter(body.links)where:- .href_url.domain.root_domain in $free_subdomain_hosts
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, recipients.to, recipients.to[].email.domain.root_domain, recipients.to[].email.domain.valid, recipients.to[].email.email, recipients.to[].email.local_part, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: ml.nlu_classifier, regex.contains, regex.icontains, regex.match, strings.concat, strings.icontains, strings.icount. Reference lists: $free_file_hosts, $free_subdomain_hosts, $high_trust_sender_root_domains, $suspicious_tlds.
Indicators matched (22)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | Security and Authentication |
ml.nlu_classifier(body.current_thread.text).topics[].confidence | equals | high |
strings.icontains | substring | security token |
strings.icontains | substring | still active |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | urgency |
regex.icontains | regex | re[- ]?activat(e|ing) |
regex.contains | regex | \bMX\b |
strings.icontains | substring | mail servers |
strings.icontains | substring | email termination |
strings.icontains | substring | locked out |
10 more
strings.icontains | substring | email account |
strings.icontains | substring | credential |
strings.icontains | substring | disconnection |
regex.match | regex | [A-Z ]+ |
strings.icontains | substring | update |
strings.icontains | substring | confirm |
strings.icontains | substring | resolve |
strings.icontains | substring | auth |
filter(body.links)[].href_url.domain.root_domain | equals | ru.com |
filter(body.links)[].href_url.path | equals | /lt.php |