Detection rules › Sublime MQL
DLP: EU Debit Card Number
Detects messages containing European debit card numbers.
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| sender.email |
| type |
Rule body MQL
type.outbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_extension in~ ('.csv', '.txt', '.xlsx', '.xls')
)
and any(file.explode(.),
// Debit card: 13-19 digits with optional spaces/hyphens
regex.contains(.scan.ocr.raw, '\b(?:\d{4}[\s\-]?){3}\d{1,7}\b')
)
)
and (
// EU country TLDs
strings.icontains(sender.email.domain.tld, "at")
or strings.icontains(sender.email.domain.tld, "be")
or strings.icontains(sender.email.domain.tld, "bg")
or strings.icontains(sender.email.domain.tld, "hr")
or strings.icontains(sender.email.domain.tld, "cy")
or strings.icontains(sender.email.domain.tld, "cz")
or strings.icontains(sender.email.domain.tld, "dk")
or strings.icontains(sender.email.domain.tld, "ee")
or strings.icontains(sender.email.domain.tld, "fi")
or strings.icontains(sender.email.domain.tld, "fr")
or strings.icontains(sender.email.domain.tld, "de")
or strings.icontains(sender.email.domain.tld, "gr")
or strings.icontains(sender.email.domain.tld, "hu")
or strings.icontains(sender.email.domain.tld, "ie")
or strings.icontains(sender.email.domain.tld, "it")
or strings.icontains(sender.email.domain.tld, "lv")
or strings.icontains(sender.email.domain.tld, "lt")
or strings.icontains(sender.email.domain.tld, "lu")
or strings.icontains(sender.email.domain.tld, "mt")
or strings.icontains(sender.email.domain.tld, "nl")
or strings.icontains(sender.email.domain.tld, "pl")
or strings.icontains(sender.email.domain.tld, "pt")
or strings.icontains(sender.email.domain.tld, "ro")
or strings.icontains(sender.email.domain.tld, "sk")
or strings.icontains(sender.email.domain.tld, "si")
or strings.icontains(sender.email.domain.tld, "es")
or strings.icontains(sender.email.domain.tld, "se")
or strings.icontains(sender.email.domain.tld, "eu")
)
Detection logic
Scope: outbound message.
Detects messages containing European debit card numbers.
- outbound message
any of
attachmentswhere all hold:any of:
- .file_extension in $file_extensions_common_archives
- .file_extension in ('.csv', '.txt', '.xlsx', '.xls')
any of
file.explode(.)where:- .scan.ocr.raw matches '\\b(?:\\d{4}[\\s\\-]?){3}\\d{1,7}\\b'
sender.email.domain.tld contains any of 28 patterns
atbebghrcyczdkeefifrdegrhuieitlvltlumtnlplptrosksiesseeu
Inspects: attachments[].file_extension, sender.email.domain.tld, type.outbound. Sensors: file.explode, regex.contains, strings.icontains. Reference lists: $file_extensions_common_archives.
Indicators matched (33)
| Field | Match | Value |
|---|---|---|
attachments[].file_extension | member | .csv |
attachments[].file_extension | member | .txt |
attachments[].file_extension | member | .xlsx |
attachments[].file_extension | member | .xls |
regex.contains | regex | \b(?:\d{4}[\s\-]?){3}\d{1,7}\b |
strings.icontains | substring | at |
strings.icontains | substring | be |
strings.icontains | substring | bg |
strings.icontains | substring | hr |
strings.icontains | substring | cy |
strings.icontains | substring | cz |
strings.icontains | substring | dk |
21 more
strings.icontains | substring | ee |
strings.icontains | substring | fi |
strings.icontains | substring | fr |
strings.icontains | substring | de |
strings.icontains | substring | gr |
strings.icontains | substring | hu |
strings.icontains | substring | ie |
strings.icontains | substring | it |
strings.icontains | substring | lv |
strings.icontains | substring | lt |
strings.icontains | substring | lu |
strings.icontains | substring | mt |
strings.icontains | substring | nl |
strings.icontains | substring | pl |
strings.icontains | substring | pt |
strings.icontains | substring | ro |
strings.icontains | substring | sk |
strings.icontains | substring | si |
strings.icontains | substring | es |
strings.icontains | substring | se |
strings.icontains | substring | eu |