detection.wiki

Detection rules › Sublime MQL

Employee impersonation with urgent request (untrusted sender)

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Sender is using a display name that matches the display name of someone in your organization. Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesImpersonation: Employee, Social engineering

Event coverage

Message attribute
body.current_thread
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound

// ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
and strings.contains(sender.display_name, " ")
and sender.display_name in~ $org_display_names
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "bec" and .confidence == "high"
  )
  or (
    (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "urgency"
      )
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "request"
      )
    )
    and not any(ml.nlu_classifier(body.current_thread.text).intents,
                .name == "benign" and .confidence == "high"
    )
    and (
      (
        // there are intents returned
        any(ml.nlu_classifier(body.current_thread.text).intents, true)
        // short body that also contains an org display name
        or (
          length(body.current_thread.text) > 200
          and any(ml.nlu_classifier(body.current_thread.text).entities,
                  .name == "sender" and .text in~ $org_display_names
          )
        )
      )
      and not strings.istarts_with(subject.subject, "fwd:")
    )
  )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
  or not headers.auth_summary.dmarc.pass
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_false_positives

Detection logic

Scope: inbound message.

Sender is using a display name that matches the display name of someone in your organization. Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

  1. inbound message
  2. sender.display_name contains ' '
  3. sender.display_name in $org_display_names
  4. any of:
    • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
      • .name is 'bec'
      • .confidence is 'high'
    • all of:
      • all of:
        • any of ml.nlu_classifier(body.current_thread.text).entities where:
          • .name is 'urgency'
        • any of ml.nlu_classifier(body.current_thread.text).entities where:
          • .name is 'request'
      • not:
        • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
          • .name is 'benign'
          • .confidence is 'high'
      • all of:
        • any of:
          • any of ml.nlu_classifier(body.current_thread.text).intents where:
            • always true
          • all of:
            • length(body.current_thread.text) > 200
            • any of ml.nlu_classifier(body.current_thread.text).entities where all hold:
              • .name is 'sender'
              • .text in $org_display_names
        • not:
          • subject.subject starts with 'fwd:'
  5. any of:
    • all of:
      • profile.by_sender().prevalence in ('new', 'outlier')
      • not:
        • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_false_positives
    • not:
      • headers.auth_summary.dmarc.pass
  6. any of:
    • all of:
      • sender.email.domain.root_domain in $org_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $org_domains
  7. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  8. not:
    • profile.by_sender().any_false_positives

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, strings.contains, strings.istarts_with. Reference lists: $high_trust_sender_root_domains, $org_display_names, $org_domains.

Indicators matched (8)

FieldMatchValue
strings.containssubstring
ml.nlu_classifier(body.current_thread.text).intents[].nameequalsbec
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsurgency
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsrequest
ml.nlu_classifier(body.current_thread.text).intents[].nameequalsbenign
ml.nlu_classifier(body.current_thread.text).entities[].nameequalssender
strings.istarts_withprefixfwd: