detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Chase bank with credential phishing indicators

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule checks for messages with or without attachments leveraging the Chase logo, and LinkAnalysis or Natural Language Understanding(NLU) has flagged credential phishing with medium to high confidence. The rule also excludes messages where all links are Chase affiliates, in addition to negating high trust sender root domains.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.links (collection)
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and (
  (
    length(attachments) <= 3
    and any(attachments,
            .file_type in $file_types_images
            and any(ml.logo_detect(.).brands, .name == "Chase")
    )
  )
  or (
    length(attachments) == 0
    and any(ml.logo_detect(file.message_screenshot()).brands, .name == "Chase")
  )
)
and 0 < length(body.links) < 10
and (
  any(body.links,
      any([ml.link_analysis(.)],
          .credphish.disposition == "phishing"
          and .credphish.brand.confidence in ("medium", "high")
      )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name in ("cred_theft") and .confidence in ("medium", "high")
  )
)
and not all(body.links,
            .href_url.domain.root_domain in (
              "chasecdn.com",
              "chase.com",
              "chase.co.uk",
              "gslbjpmchase.com",
              "jpmorganchase.com",
              "jpmorgan.com",
              "jpmorganfunds.com",
              "jpmprivatebank.com",
              "paymentech.com"
            )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)

Detection logic

Scope: inbound message.

This rule checks for messages with or without attachments leveraging the Chase logo, and LinkAnalysis or Natural Language Understanding(NLU) has flagged credential phishing with medium to high confidence. The rule also excludes messages where all links are Chase affiliates, in addition to negating high trust sender root domains.

  1. inbound message
  2. any of:
    • all of:
      • length(attachments) ≤ 3
      • any of attachments where all hold:
        • .file_type in $file_types_images
        • any of ml.logo_detect(.).brands where:
          • .name is 'Chase'
    • all of:
      • length(attachments) is 0
      • any of ml.logo_detect(file.message_screenshot()).brands where:
        • .name is 'Chase'
  3. all of:
    • length(body.links) > 0
    • length(body.links) < 10
  4. any of:
    • any of body.links where:
      • any of [ml.link_analysis(.)] where all hold:
        • .credphish.disposition is 'phishing'
        • .credphish.brand.confidence in ('medium', 'high')
    • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
      • .name in ('cred_theft')
      • .confidence in ('medium', 'high')
  5. not:
    • all of body.links where:
      • .href_url.domain.root_domain in ('chasecdn.com', 'chase.com', 'chase.co.uk', 'gslbjpmchase.com', 'jpmorganchase.com', 'jpmorgan.com', 'jpmorganfunds.com', 'jpmprivatebank.com', 'paymentech.com')
  6. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  7. any of:
    • not:
      • profile.by_sender().solicited
    • profile.by_sender().any_messages_malicious_or_spam

Inspects: attachments[].file_type, body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.message_screenshot, ml.link_analysis, ml.logo_detect, ml.nlu_classifier, profile.by_sender. Reference lists: $file_types_images, $high_trust_sender_root_domains.

Indicators matched (17)

FieldMatchValue
ml.logo_detect(attachments[]).brands[].nameequalsChase
ml.logo_detect(file.message_screenshot()).brands[].nameequalsChase
[ml.link_analysis(body.links[])][].credphish.dispositionequalsphishing
[ml.link_analysis(body.links[])][].credphish.brand.confidencemembermedium
[ml.link_analysis(body.links[])][].credphish.brand.confidencememberhigh
ml.nlu_classifier(body.current_thread.text).intents[].namemembercred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidencemembermedium
ml.nlu_classifier(body.current_thread.text).intents[].confidencememberhigh
body.links[].href_url.domain.root_domainmemberchasecdn.com
body.links[].href_url.domain.root_domainmemberchase.com
body.links[].href_url.domain.root_domainmemberchase.co.uk
body.links[].href_url.domain.root_domainmembergslbjpmchase.com
5 more
body.links[].href_url.domain.root_domainmemberjpmorganchase.com
body.links[].href_url.domain.root_domainmemberjpmorgan.com
body.links[].href_url.domain.root_domainmemberjpmorganfunds.com
body.links[].href_url.domain.root_domainmemberjpmprivatebank.com
body.links[].href_url.domain.root_domainmemberpaymentech.com