Detection rules › Sublime MQL
DLP - PCI: Mastercard Credit Card Number
Detects outbound emails containing Mastercard credit card numbers in the message body or text-parseable attachments. Covers both the traditional 5-series BINs (51–55) and the expanded 2-series BINs (2221–2720) introduced in 2017. All Mastercard PANs are 16 digits, optionally separated by spaces or dashes (e.g. 5500 0000 0000 0004 or 2221-0000-0000-0000). Deploy this rule with the "Block Delivery" action to prevent PCI data exfiltration, or in passive mode to monitor and audit outbound mail containing card numbers. Regex engine: RE2 (Golang). No PCRE lookbehind — word boundaries (\b) are used instead. Attachment content is extracted via file.explode() / .scan.strings.strings.
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| body.current_thread |
| type |
Rule body MQL
type.outbound
and (
// Body: Mastercard 5-series (51–55 prefix, 16 digits)
regex.contains(body.current_thread.text,
'\b5[1-5]\d{2}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b'
)
// Body: Mastercard 2-series BINs (2221–2720, 16 digits)
// Range breakdown: 2221-2229, 2230-2299, 2300-2699, 2700-2719, 2720
or regex.contains(body.current_thread.text,
'\b(?:222[1-9]|22[3-9]\d|2[3-6]\d{2}|27[01]\d|2720)[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b'
)
// Attachments: scan extracted strings from PDFs, Office docs, CSVs, etc.
or any(attachments,
.file_extension in~ ('pdf', 'doc', 'docx', 'xls', 'xlsx', 'txt', 'csv', 'eml', 'msg')
and any(file.explode(.),
any(.scan.strings.strings,
regex.contains(., '\b5[1-5]\d{2}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b')
or regex.contains(.,
'\b(?:222[1-9]|22[3-9]\d|2[3-6]\d{2}|27[01]\d|2720)[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b'
)
)
)
)
)
Detection logic
Scope: outbound message.
Detects outbound emails containing Mastercard credit card numbers in the message body or text-parseable attachments. Covers both the traditional 5-series BINs (51–55) and the expanded 2-series BINs (2221–2720) introduced in 2017. All Mastercard PANs are 16 digits, optionally separated by spaces or dashes (e.g. 5500 0000 0000 0004 or 2221-0000-0000-0000). Deploy this rule with the "Block Delivery" action to prevent PCI data exfiltration, or in passive mode to monitor and audit outbound mail containing card numbers. Regex engine: RE2 (Golang). No PCRE lookbehind — word boundaries (\b) are used instead. Attachment content is extracted via file.explode() / .scan.strings.strings.
- outbound message
any of:
- body.current_thread.text matches '\\b5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b'
- body.current_thread.text matches '\\b(?:222[1-9]|22[3-9]\\d|2[3-6]\\d{2}|27[01]\\d|2720)[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b'
any of
attachmentswhere all hold:- .file_extension in ('pdf', 'doc', 'docx', 'xls', 'xlsx', 'txt', 'csv', 'eml', 'msg')
any of
file.explode(.)where:any of
.scan.strings.stringswhere any holds:- . matches '\\b5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b'
- . matches '\\b(?:222[1-9]|22[3-9]\\d|2[3-6]\\d{2}|27[01]\\d|2720)[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b'
Inspects: attachments[].file_extension, body.current_thread.text, type.outbound. Sensors: file.explode, regex.contains.
Indicators matched (11)
| Field | Match | Value |
|---|---|---|
regex.contains | regex | \b5[1-5]\d{2}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b |
regex.contains | regex | \b(?:222[1-9]|22[3-9]\d|2[3-6]\d{2}|27[01]\d|2720)[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b |
attachments[].file_extension | member | pdf |
attachments[].file_extension | member | doc |
attachments[].file_extension | member | docx |
attachments[].file_extension | member | xls |
attachments[].file_extension | member | xlsx |
attachments[].file_extension | member | txt |
attachments[].file_extension | member | csv |
attachments[].file_extension | member | eml |
attachments[].file_extension | member | msg |