Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
strings.ilike(sender.display_name, "*exodus*")
or (
strings.ilike(sender.email.domain.root_domain, "*exodus*")
and network.whois(sender.email.domain).days_old <= 30
)
)
and sender.email.domain.root_domain not in (
"exodus.com",
"exodus.io",
"exodusescaperoom.com"
)
and sender.email.email not in $recipient_emails
and (
any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.text == "wallet"
)
)
Detection logic
Scope: inbound message.
Attack impersonating Exodus Wallet.
- inbound message
any of:
- sender.display_name matches '*exodus*'
all of:
- sender.email.domain.root_domain matches '*exodus*'
- network.whois(sender.email.domain).days_old ≤ 30
- sender.email.domain.root_domain not in ('exodus.com', 'exodus.io', 'exodusescaperoom.com')
- sender.email.email not in $recipient_emails
any of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere:- .name is not 'benign'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .text is 'wallet'
Inspects: body.current_thread.text, sender.display_name, sender.email.domain, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, network.whois, strings.ilike. Reference lists: $recipient_emails.
Indicators matched (5)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *exodus* |
sender.email.domain.root_domain | member | exodus.com |
sender.email.domain.root_domain | member | exodus.io |
sender.email.domain.root_domain | member | exodusescaperoom.com |
ml.nlu_classifier(body.current_thread.text).entities[].text | equals | wallet |