detection.wiki

Detection rules › Sublime MQL

Domain impersonation: Freemail reply-to local lookalike with financial request

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This technique takes advantage of the use of free email services for the reply-to address. By incorporating the sender domain in the local part of the reply-to address, the attacker creates a visually similar appearance to a legitimate email address.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree email provider, Social engineering

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.reply_to (collection)
sender.email
type

Rule body MQL

type.inbound
and any(headers.reply_to,
        .email.email != sender.email.email
        and .email.domain.domain in $free_email_providers
        and .email.email not in $sender_emails
        and strings.contains(.email.local_part, sender.email.domain.sld)
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "bec" and .confidence in ("medium", "high")
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "request"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "urgency"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "sender"
    )
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name != "benign"
    )
  )
)

Detection logic

Scope: inbound message.

This technique takes advantage of the use of free email services for the reply-to address. By incorporating the sender domain in the local part of the reply-to address, the attacker creates a visually similar appearance to a legitimate email address.

  1. inbound message
  2. any of headers.reply_to where all hold:
    • .email.email is not sender.email.email
    • .email.domain.domain in $free_email_providers
    • .email.email not in $sender_emails
    • strings.contains(.email.local_part)
  3. any of:
    • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
      • .name is 'bec'
      • .confidence in ('medium', 'high')
    • all of:
      • any of ml.nlu_classifier(body.current_thread.text).entities where:
        • .name is 'financial'
      • any of ml.nlu_classifier(body.current_thread.text).entities where:
        • .name is 'request'
      • any of ml.nlu_classifier(body.current_thread.text).entities where:
        • .name is 'urgency'
      • any of ml.nlu_classifier(body.current_thread.text).entities where:
        • .name is 'sender'
      • any of ml.nlu_classifier(body.current_thread.text).intents where:
        • .name is not 'benign'

Inspects: body.current_thread.text, headers.reply_to, headers.reply_to[].email.domain.domain, headers.reply_to[].email.email, headers.reply_to[].email.local_part, sender.email.domain.sld, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, strings.contains. Reference lists: $free_email_providers, $sender_emails.

Indicators matched (7)

FieldMatchValue
ml.nlu_classifier(body.current_thread.text).intents[].nameequalsbec
ml.nlu_classifier(body.current_thread.text).intents[].confidencemembermedium
ml.nlu_classifier(body.current_thread.text).intents[].confidencememberhigh
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsfinancial
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsrequest
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsurgency
ml.nlu_classifier(body.current_thread.text).entities[].nameequalssender