detection.wiki

Detection rules › Sublime MQL

VIP Impersonation via Google Group relay with suspicious indicators

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Credential Phishing, Malware/Ransomware
Tactics and techniquesEvasion, Free email provider, Impersonation: Employee, Social engineering, Spoofing

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.auth_summary
headers.hops (collection)
headers.reply_to (collection)
headers.return_path
sender
sender.email
subject
type

Rule body MQL

(type.inbound or type.internal)
and sender.email.domain.root_domain in $org_domains

// subject, sender or reply to contains a VIP
and (
  any(headers.reply_to,
      any($org_vips, strings.contains(.display_name, ..display_name))
  )
  or any($org_vips, strings.contains(subject.subject, .display_name))
  or any($org_vips, strings.contains(sender.display_name, .display_name))
)
and any(headers.hops,
        any(.fields,
            regex.icontains(.name,
                            "X-Authenticated-Sender|X-Sender|X-Original-Sender"
            )
        )
)

// reply to return path mismatch and not org domain
and any(headers.reply_to,
        .email.domain.root_domain != headers.return_path.domain.root_domain
        and .email.domain.root_domain not in $org_domains
)

// googlegroups found in hops
and any(headers.hops,
        .index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
)

// financial nlu entity in current thread
and 3 of (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  ),

  // invoice entity in display_text
  any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),

  // fake thread
  (
    (subject.is_forward or subject.is_reply)
    and (
      (length(headers.references) == 0 and headers.in_reply_to is null)
      or headers.in_reply_to is null
    )
  ),

  // reply-to is freemail 
  any(headers.reply_to, .email.domain.domain in $free_email_providers),

  // reply-to is not in $recipient_emails
  any(headers.reply_to, .email.email not in $recipient_emails),

  // dmarc authentication is freemail provider
  headers.auth_summary.dmarc.details.from.root_domain in $free_email_providers
)

Detection logic

Scope: inbound, internal message.

Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.

  1. any of:
    • inbound message
    • internal message
  2. sender.email.domain.root_domain in $org_domains
  3. any of:
    • any of headers.reply_to where:
      • any of $org_vips where:
        • strings.contains(.display_name)
    • any of $org_vips where:
      • strings.contains(subject.subject)
    • any of $org_vips where:
      • strings.contains(sender.display_name)
  4. any of headers.hops where:
    • any of .fields where:
      • .name matches 'X-Authenticated-Sender|X-Sender|X-Original-Sender'
  5. any of headers.reply_to where all hold:
    • .email.domain.root_domain is not headers.return_path.domain.root_domain
    • .email.domain.root_domain not in $org_domains
  6. any of headers.hops where all hold:
    • .index is 0
    • any of .fields where:
      • .value contains 'googlegroups'
  7. at least 3 of:
    • any of ml.nlu_classifier(body.current_thread.text).entities where:
      • .name is 'financial'
    • any of ml.nlu_classifier(body.current_thread.text).tags where:
      • .name is 'invoice'
    • all of:
      • any of:
        • subject.is_forward
        • subject.is_reply
      • any of:
        • all of:
          • length(headers.references) is 0
          • headers.in_reply_to is missing
        • headers.in_reply_to is missing
    • any of headers.reply_to where:
      • .email.domain.domain in $free_email_providers
    • any of headers.reply_to where:
      • .email.email not in $recipient_emails
    • headers.auth_summary.dmarc.details.from.root_domain in $free_email_providers

Inspects: body.current_thread.text, headers.auth_summary.dmarc.details.from.root_domain, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, headers.hops[].index, headers.in_reply_to, headers.references, headers.reply_to, headers.reply_to[].display_name, headers.reply_to[].email.domain.domain, headers.reply_to[].email.domain.root_domain, headers.reply_to[].email.email, headers.return_path.domain.root_domain, sender.display_name, sender.email.domain.root_domain, subject.is_forward, subject.is_reply, subject.subject, type.inbound, type.internal. Sensors: ml.nlu_classifier, regex.icontains, strings.contains, strings.icontains. Reference lists: $free_email_providers, $org_domains, $org_vips, $recipient_emails.

Indicators matched (4)

FieldMatchValue
regex.icontainsregexX-Authenticated-Sender|X-Sender|X-Original-Sender
strings.icontainssubstringgooglegroups
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsfinancial
ml.nlu_classifier(body.current_thread.text).tags[].nameequalsinvoice