detection.wiki

Detection rules › Sublime MQL

File sharing link with a suspicious subject

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesFree file host, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers.auth_summary
sender.email
subject
type

Rule body MQL

type.inbound
and sender.email.domain.root_domain != 'google.com'
and not (
  sender.email.domain.root_domain == "dropbox.com"
  and headers.auth_summary.dmarc.pass
)
and any(body.links,
        (
          .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
        )
        and not (
          // negating Google Forms links
          .href_url.domain.domain == "docs.google.com"
          and strings.istarts_with(.href_url.path, "/forms/")
        )
        and not .href_url.domain.domain in $tenant_domains
)
and regex.icontains(subject.subject, 'immediately', 'urgent')
and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Detection logic

Scope: inbound message.

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

  1. inbound message
  2. sender.email.domain.root_domain is not 'google.com'
  3. not:
    • all of:
      • sender.email.domain.root_domain is 'dropbox.com'
      • headers.auth_summary.dmarc.pass
  4. any of body.links where all hold:
    • any of:
      • .href_url.domain.domain in $free_file_hosts
      • .href_url.domain.root_domain in $free_file_hosts
    • not:
      • all of:
        • .href_url.domain.domain is 'docs.google.com'
        • .href_url.path starts with '/forms/'
    • not:
      • .href_url.domain.domain in $tenant_domains
  5. subject.subject matches any of 2 patterns
    • immediately
    • urgent
  6. any of ml.nlu_classifier(body.current_thread.text).intents where:
    • .name is not 'benign'
  7. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.path, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, regex.icontains, strings.istarts_with. Reference lists: $free_file_hosts, $tenant_domains.

Indicators matched (5)

FieldMatchValue
sender.email.domain.root_domainequalsdropbox.com
body.links[].href_url.domain.domainequalsdocs.google.com
strings.istarts_withprefix/forms/
regex.icontainsregeximmediately
regex.icontainsregexurgent