Detection rules › Sublime MQL
Impersonation: Salesforce fake campaign failure notification
Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.current_thread |
| body.links (collection) |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and strings.icontains(sender.display_name, "salesforce")
and sender.email.domain.root_domain not in (
"salesforce.com",
"force.com",
"site.com",
"agentforce.com"
)
and length(attachments) == 0
// theare are external links (not org or SF domains)
and length(filter(body.links,
.href_url.domain.domain not in $org_domains
and .href_url.domain.root_domain not in (
"salesforce.com",
"force.com",
"site.com" // salesforce CRM
)
)
) > 0
and length(body.current_thread.text) <= 600
and strings.contains(body.current_thread.text, 'campaign')
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency" and regex.icontains(.text, "(failed|cancelled)")
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
Detection logic
Scope: inbound message.
Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains.
- inbound message
- sender.display_name contains 'salesforce'
- sender.email.domain.root_domain not in ('salesforce.com', 'force.com', 'site.com', 'agentforce.com')
- length(attachments) is 0
- length(filter(body.links, .href_url.domain.domain not in $org_domains and .href_url.domain.root_domain not in ('salesforce.com', 'force.com', 'site.com'))) > 0
- length(body.current_thread.text) ≤ 600
- body.current_thread.text contains 'campaign'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name is 'urgency'
- .text matches '(failed|cancelled)'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'request'
Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, sender.display_name, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.contains, strings.icontains. Reference lists: $org_domains.
Indicators matched (12)
| Field | Match | Value |
|---|---|---|
strings.icontains | substring | salesforce |
sender.email.domain.root_domain | member | salesforce.com |
sender.email.domain.root_domain | member | force.com |
sender.email.domain.root_domain | member | site.com |
sender.email.domain.root_domain | member | agentforce.com |
body.links[].href_url.domain.root_domain | member | salesforce.com |
body.links[].href_url.domain.root_domain | member | force.com |
body.links[].href_url.domain.root_domain | member | site.com |
strings.contains | substring | campaign |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | urgency |
regex.icontains | regex | (failed|cancelled) |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | request |