detection.wiki

Detection rules › Sublime MQL

DLP - PCI: American Express Credit Card Number

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects outbound emails containing American Express (Amex) credit card numbers in the message body or text-parseable attachments. Amex PANs are 15 digits and start with 34 or 37. The standard human-readable format groups digits as XXXX XXXXXX XXXXX (e.g. 3782 822463 10005), though undelimited and dash-separated variants are also matched. Deploy this rule with the "Block Delivery" action to prevent PCI data exfiltration, or in passive mode to monitor and audit outbound mail containing card numbers. Regex engine: RE2 (Golang). No PCRE lookbehind — word boundaries (\b) are used instead. Attachment content is extracted via file.explode() / .scan.strings.strings.

Event coverage

Message attribute
attachments (collection)
body.current_thread
type

Rule body MQL

type.outbound
and (
  // Body: Amex 15-digit with standard 4-6-5 grouping (spaces or dashes)
  regex.contains(body.current_thread.text,
    '\b3[47]\d{2}[\s-]?\d{6}[\s-]?\d{5}\b'
  )

  // Attachments: scan extracted strings from PDFs, Office docs, CSVs, etc.
  or any(attachments,
    .file_extension in~ ('pdf', 'doc', 'docx', 'xls', 'xlsx', 'txt', 'csv', 'eml', 'msg')
    and any(file.explode(.),
      any(.scan.strings.strings,
        regex.contains(., '\b3[47]\d{2}[\s-]?\d{6}[\s-]?\d{5}\b')
      )
    )
  )
)

Detection logic

Scope: outbound message.

Detects outbound emails containing American Express (Amex) credit card numbers in the message body or text-parseable attachments. Amex PANs are 15 digits and start with 34 or 37. The standard human-readable format groups digits as XXXX XXXXXX XXXXX (e.g. 3782 822463 10005), though undelimited and dash-separated variants are also matched. Deploy this rule with the "Block Delivery" action to prevent PCI data exfiltration, or in passive mode to monitor and audit outbound mail containing card numbers. Regex engine: RE2 (Golang). No PCRE lookbehind — word boundaries (\b) are used instead. Attachment content is extracted via file.explode() / .scan.strings.strings.

  1. outbound message
  2. any of:
    • body.current_thread.text matches '\\b3[47]\\d{2}[\\s-]?\\d{6}[\\s-]?\\d{5}\\b'
    • any of attachments where all hold:
      • .file_extension in ('pdf', 'doc', 'docx', 'xls', 'xlsx', 'txt', 'csv', 'eml', 'msg')
      • any of file.explode(.) where:
        • any of .scan.strings.strings where:
          • . matches '\\b3[47]\\d{2}[\\s-]?\\d{6}[\\s-]?\\d{5}\\b'

Inspects: attachments[].file_extension, body.current_thread.text, type.outbound. Sensors: file.explode, regex.contains.

Indicators matched (10)

FieldMatchValue
regex.containsregex\b3[47]\d{2}[\s-]?\d{6}[\s-]?\d{5}\b
attachments[].file_extensionmemberpdf
attachments[].file_extensionmemberdoc
attachments[].file_extensionmemberdocx
attachments[].file_extensionmemberxls
attachments[].file_extensionmemberxlsx
attachments[].file_extensionmembertxt
attachments[].file_extensionmembercsv
attachments[].file_extensionmembereml
attachments[].file_extensionmembermsg