detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Wix

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Lookalike domain, Social engineering

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.auth_summary
headers.domains (collection)
sender
sender.email
type

Rule body MQL

type.inbound
and (
  (
    regex.icontains(sender.display_name, '^WIX\b')
    or strings.ilike(sender.email.domain.domain, 'WIX')
  )
  or (
    strings.icontains(sender.display_name, 'wix')
    and regex.icontains(body.current_thread.text,
                        "Domain Expir(?:ation|y) Not(?:ice|ification)"
    )
    and strings.icontains(body.current_thread.text, "will be deactivated")
  )
  // Wix address from footer
  or 2 of (
    strings.icontains(body.current_thread.text, 'Wix.com'),
    strings.icontains(body.current_thread.text, '100 Gansevoort St'),
    strings.icontains(body.current_thread.text, 'New York, NY 10014')
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name in ("sender", "org") and regex.icontains(.text, '^wix\b')
    )
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "cred_theft" and .confidence != "low"
    )
  )
)
and not (
  (
    sender.email.domain.root_domain in~ (
      "wix.com",
      "wixforms.com",
      "wixemails.com",
      "wixanswers.com",
      "wix-groups.com",
      "ascendbywix.com"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// negation for messages traversing wix.com
and not (
  any(headers.domains, .root_domain in ("wix.com", "ascendbywix.com"))
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)
and not profile.by_sender().solicited
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders.

  1. inbound message
  2. any of:
    • any of:
      • sender.display_name matches '^WIX\\b'
      • sender.email.domain.domain matches 'WIX'
    • all of:
      • sender.display_name contains 'wix'
      • body.current_thread.text matches 'Domain Expir(?:ation|y) Not(?:ice|ification)'
      • body.current_thread.text contains 'will be deactivated'
    • at least 2 of:
      • body.current_thread.text contains 'Wix.com'
      • body.current_thread.text contains '100 Gansevoort St'
      • body.current_thread.text contains 'New York, NY 10014'
    • all of:
      • any of ml.nlu_classifier(body.current_thread.text).entities where all hold:
        • .name in ('sender', 'org')
        • .text matches '^wix\\b'
      • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
        • .name is 'cred_theft'
        • .confidence is not 'low'
  3. not:
    • all of:
      • sender.email.domain.root_domain in ('wix.com', 'wixforms.com', 'wixemails.com', 'wixanswers.com', 'wix-groups.com', 'ascendbywix.com')
      • headers.auth_summary.dmarc.pass
  4. not:
    • all of:
      • any of headers.domains where:
        • .root_domain in ('wix.com', 'ascendbywix.com')
      • headers.auth_summary.spf.pass
      • headers.auth_summary.dmarc.pass
  5. not:
    • profile.by_sender().solicited
  6. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.domains, headers.domains[].root_domain, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, regex.icontains, strings.icontains, strings.ilike. Reference lists: $high_trust_sender_root_domains.

Indicators matched (20)

FieldMatchValue
regex.icontainsregex^WIX\b
strings.ilikesubstringWIX
strings.icontainssubstringwix
regex.icontainsregexDomain Expir(?:ation|y) Not(?:ice|ification)
strings.icontainssubstringwill be deactivated
strings.icontainssubstringWix.com
strings.icontainssubstring100 Gansevoort St
strings.icontainssubstringNew York, NY 10014
ml.nlu_classifier(body.current_thread.text).entities[].namemembersender
ml.nlu_classifier(body.current_thread.text).entities[].namememberorg
regex.icontainsregex^wix\b
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
8 more
sender.email.domain.root_domainmemberwix.com
sender.email.domain.root_domainmemberwixforms.com
sender.email.domain.root_domainmemberwixemails.com
sender.email.domain.root_domainmemberwixanswers.com
sender.email.domain.root_domainmemberwix-groups.com
sender.email.domain.root_domainmemberascendbywix.com
headers.domains[].root_domainmemberwix.com
headers.domains[].root_domainmemberascendbywix.com