Detection rules › Sublime MQL
Fake request for tax preparation
Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Malware/Ransomware |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
and length(body.current_thread.text) < 1250
and any(beta.ml_topic(body.current_thread.text).topics,
.name == "Financial Communications"
)
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
length(body.links) == 0
or length(filter(body.links,
(
.display_text is null
and .display_url.url == sender.email.domain.root_domain
)
or .href_url.domain.domain == "aka.ms"
or network.whois(.display_url.domain).days_old < 30
)
) == length(body.links)
)
and length(attachments) == 0
and (strings.ilike(subject.subject, "*tax*") or length(subject.subject) < 15)
and strings.icontains(body.current_thread.text, "tax")
and (
strings.like(body.current_thread.text,
"*return*",
"*record*",
"*CPA*",
"*filing*",
"*extension*"
)
or strings.ilike(body.current_thread.text,
"*tax preparer*",
"*tax*processing*"
)
)
and (
strings.ilike(body.current_thread.text,
"*necessary documents*",
"*required documents*",
"*paperwork*",
"*in search of*",
"*tax service*",
"*professional help*",
"*prepare*tax return*",
"*service*tax return*",
"*seeking*tax preparer*",
"*assist*processing*tax*",
"*schedule*call*",
"*zoom meeting*",
"*discuss*fees*",
"*W2*",
"*CPA*"
)
// suspicious patterns
or (
strings.icontains(body.current_thread.text, sender.display_name)
and 2 of (
(
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
)
),
(
headers.return_path.email is not null
and headers.return_path.email != sender.email.email
),
headers.return_path.domain.root_domain in ("amazonses.com")
)
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.
- inbound message
- length(body.current_thread.text) < 1250
any of
beta.ml_topic(body.current_thread.text).topicswhere:- .name is 'Financial Communications'
any of:
- length(body.links) is 0
- length(filter(body.links, .display_text is null and .display_url.url == sender.email.domain.root_domain or .href_url.domain.domain == 'aka.ms' or network.whois(.display_url.domain).days_old < 30)) is length(body.links)
- length(attachments) is 0
any of:
- subject.subject matches '*tax*'
- length(subject.subject) < 15
- body.current_thread.text contains 'tax'
any of:
body.current_thread.text matches any of 5 patterns
*return**record**CPA**filing**extension*
body.current_thread.text matches any of 2 patterns
*tax preparer**tax*processing*
any of:
body.current_thread.text matches any of 15 patterns
*necessary documents**required documents**paperwork**in search of**tax service**professional help**prepare*tax return**service*tax return**seeking*tax preparer**assist*processing*tax**schedule*call**zoom meeting**discuss*fees**W2**CPA*
all of:
- strings.icontains(body.current_thread.text)
at least 2 of:
all of:
- length(headers.reply_to) > 0
all of
headers.reply_towhere:- .email.domain.root_domain is not sender.email.domain.root_domain
all of:
- headers.return_path.email is set
- headers.return_path.email is not sender.email.email
- headers.return_path.domain.root_domain in ('amazonses.com')
any of:
all of:
- profile.by_sender().prevalence in ('new', 'outlier')
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].display_url.domain, body.links[].display_url.url, body.links[].href_url.domain.domain, headers.reply_to, headers.reply_to[].email.domain.root_domain, headers.return_path.domain.root_domain, headers.return_path.email, sender.display_name, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: beta.ml_topic, network.whois, profile.by_sender, strings.icontains, strings.ilike, strings.like.
Indicators matched (27)
| Field | Match | Value |
|---|---|---|
beta.ml_topic(body.current_thread.text).topics[].name | equals | Financial Communications |
body.links[].href_url.domain.domain | equals | aka.ms |
strings.ilike | substring | *tax* |
strings.icontains | substring | tax |
strings.like | substring | *return* |
strings.like | substring | *record* |
strings.like | substring | *CPA* |
strings.like | substring | *filing* |
strings.like | substring | *extension* |
strings.ilike | substring | *tax preparer* |
strings.ilike | substring | *tax*processing* |
strings.ilike | substring | *necessary documents* |
15 more
strings.ilike | substring | *required documents* |
strings.ilike | substring | *paperwork* |
strings.ilike | substring | *in search of* |
strings.ilike | substring | *tax service* |
strings.ilike | substring | *professional help* |
strings.ilike | substring | *prepare*tax return* |
strings.ilike | substring | *service*tax return* |
strings.ilike | substring | *seeking*tax preparer* |
strings.ilike | substring | *assist*processing*tax* |
strings.ilike | substring | *schedule*call* |
strings.ilike | substring | *zoom meeting* |
strings.ilike | substring | *discuss*fees* |
strings.ilike | substring | *W2* |
strings.ilike | substring | *CPA* |
headers.return_path.domain.root_domain | member | amazonses.com |