detection.wiki

Detection rules › Sublime MQL

Vendor compromise: GovDelivery message with suspicious link

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Malware/Ransomware
Tactics and techniquesFree subdomain host, IPFS, Social engineering, Evasion, Impersonation: Brand

Event coverage

Message attribute
body
body.links (collection)
headers (collection)
headers.auth_summary
headers.domains (collection)
sender.email
type

Rule body MQL

type.inbound
and (
  sender.email.domain.domain == "public.govdelivery.com"
  or any(headers.domains, .root_domain == "govdelivery.com")
)
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(body.links) < 10
and any(body.links,
        any(filter(regex.extract(.href_url.path, '/CL0/(?P<url>.*?)/1/'),
                   strings.parse_url(.named_groups["url"]).domain.root_domain not in (
                     "google.com",
                     "govdelivery.com",
                     "granicus.com",
                     "legistar1.com" // domain owned by granicus
                   )
                   and strings.parse_url(.named_groups["url"]).domain.tld not in (
                     "gov"
                   )
            ),
            // this is inside the filtered results to avoid flagging this condition on known link domains, as listed above
            strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners
            or strings.parse_url(.named_groups["url"]).domain.domain in $social_landing_hosts
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $social_landing_hosts
            or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
            or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
            or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30
            or any(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history,
                   network.whois(.domain).days_old < 30
                   or strings.icontains(.domain.domain, "ipfs")
                   or regex.icontains(.query_params, '[\.-/]ipfs[\.-/]')
            )
            // page redirects to common website, observed when evasion happens
            or (
              length(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history
              ) > 1
              and ml.link_analysis(strings.parse_url(.named_groups["url"])).effective_url.domain.root_domain in $tranco_10k
            )
        )
)

Detection logic

Scope: inbound message.

Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.

  1. inbound message
  2. any of:
    • sender.email.domain.domain is 'public.govdelivery.com'
    • any of headers.domains where:
      • .root_domain is 'govdelivery.com'
  3. any of:
    • headers.auth_summary.spf.pass
    • headers.auth_summary.dmarc.pass
  4. length(body.links) < 10
  5. any of body.links where:
    • any of filter(...) where any holds:
      • strings.parse_url(.named_groups['url']).domain.domain in $url_shorteners
      • strings.parse_url(.named_groups['url']).domain.domain in $social_landing_hosts
      • strings.parse_url(.named_groups['url']).domain.root_domain in $url_shorteners
      • strings.parse_url(.named_groups['url']).domain.root_domain in $social_landing_hosts
      • strings.parse_url(.named_groups['url']).domain.domain in $free_subdomain_hosts
      • strings.parse_url(.named_groups['url']).domain.root_domain in $free_subdomain_hosts
      • network.whois(strings.parse_url(.named_groups['url']).domain).days_old < 30
      • any of ml.link_analysis(strings.parse_url(.named_groups['url'])).redirect_history where any holds:
        • network.whois(.domain).days_old < 30
        • .domain.domain contains 'ipfs'
        • .query_params matches '[\\.-/]ipfs[\\.-/]'
      • all of:
        • length(ml.link_analysis(strings.parse_url(.named_groups['url'])).redirect_history) > 1
        • ml.link_analysis(strings.parse_url(.named_groups['url'])).effective_url.domain.root_domain in $tranco_10k

Inspects: body.links, body.links[].href_url.path, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.domains, headers.domains[].root_domain, sender.email.domain.domain, type.inbound. Sensors: ml.link_analysis, network.whois, regex.extract, regex.icontains, strings.icontains, strings.parse_url. Reference lists: $free_subdomain_hosts, $social_landing_hosts, $tranco_10k, $url_shorteners.

Indicators matched (5)

FieldMatchValue
sender.email.domain.domainequalspublic.govdelivery.com
headers.domains[].root_domainequalsgovdelivery.com
regex.extractregex/CL0/(?P<url>.*?)/1/
strings.icontainssubstringipfs
regex.icontainsregex[\.-/]ipfs[\.-/]