detection.wiki

Detection rules › Sublime MQL

Fake scan-to-email message

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree file host, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
sender.email
subject
type

Rule body MQL

type.inbound
and length(attachments) == 0
and 0 < length(body.links) < 3
and strings.ilike(subject.subject, "*message from*")
and (
  (
    strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
    and not strings.ilike(body.current_thread.text, "*unmonitored*")
  )
  or (
    //
    // This rule makes use of a beta feature and is subject to change without notice
    // using the beta feature in custom rules is not suggested until it has been formally released
    //
    strings.ilike(beta.ocr(file.message_screenshot()).text,
                  "*scan date*",
                  "*was sent from*"
    )
    and not strings.ilike(beta.ocr(file.message_screenshot()).text,
                          "*unmonitored*"
    )
  )
)
and (
  any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
  or any(body.links, .display_url.url != .href_url.url)
  or any(body.links, .display_url.url is null)
)
and all(body.links,
        .href_url.domain.domain not in~ $org_domains
        and .href_url.domain.domain not in ("aka.ms")
)
and sender.email.domain.domain not in~ $org_domains
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.

  1. inbound message
  2. length(attachments) is 0
  3. all of:
    • length(body.links) > 0
    • length(body.links) < 3
  4. subject.subject matches '*message from*'
  5. any of:
    • all of:
      • body.current_thread.text matches any of 2 patterns
        • *scan date*
        • *was sent from*
      • not:
        • body.current_thread.text matches '*unmonitored*'
    • all of:
      • beta.ocr(file.message_screenshot()).text matches any of 2 patterns
        • *scan date*
        • *was sent from*
      • not:
        • beta.ocr(file.message_screenshot()).text matches '*unmonitored*'
  6. any of:
    • any of body.links where:
      • .href_url.domain.root_domain in $free_file_hosts
    • any of body.links where:
      • .display_url.url is not .href_url.url
    • any of body.links where:
      • .display_url.url is missing
  7. all of body.links where all hold:
    • .href_url.domain.domain not in $org_domains
    • .href_url.domain.domain not in ('aka.ms')
  8. sender.email.domain.domain not in $org_domains
  9. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  10. not:
    • profile.by_sender().any_messages_benign

Inspects: body.current_thread.text, body.links, body.links[].display_url.url, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.url, sender.email.domain.domain, subject.subject, type.inbound. Sensors: beta.ocr, file.message_screenshot, profile.by_sender, strings.ilike. Reference lists: $free_file_hosts, $org_domains.

Indicators matched (5)

FieldMatchValue
strings.ilikesubstring*message from*
strings.ilikesubstring*scan date*
strings.ilikesubstring*was sent from*
strings.ilikesubstring*unmonitored*
body.links[].href_url.domain.domainmemberaka.ms