Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| headers.auth_summary |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
strings.ilike(sender.display_name, '*spotify*')
or strings.ilevenshtein(sender.display_name, 'spotify') <= 1
or strings.ilike(sender.email.domain.domain, '*spotify*')
or (
regex.icontains(body.current_thread.text, 'Spotify AB\b')
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Spotify" and .confidence != "low"
)
)
)
and sender.email.domain.root_domain not in~ (
'spotify.com',
'byspotify.com',
'echosign.com',
'fromspotify.com',
'anchor.fm'
)
and sender.email.domain.domain not in~ ('privaterelay.appleid.com')
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Impersonation of Spotify.
- inbound message
any of:
- sender.display_name matches '*spotify*'
- sender.display_name is similar to 'spotify'
- sender.email.domain.domain matches '*spotify*'
all of:
- body.current_thread.text matches 'Spotify AB\\b'
any of
ml.logo_detect(file.message_screenshot()).brandswhere all hold:- .name is 'Spotify'
- .confidence is not 'low'
- sender.email.domain.root_domain not in ('spotify.com', 'byspotify.com', 'echosign.com', 'fromspotify.com', 'anchor.fm')
- sender.email.domain.domain not in ('privaterelay.appleid.com')
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: file.message_screenshot, ml.logo_detect, profile.by_sender, regex.icontains, strings.ilevenshtein, strings.ilike. Reference lists: $high_trust_sender_root_domains.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *spotify* |
strings.ilevenshtein | fuzzy | spotify |
regex.icontains | regex | Spotify AB\b |
ml.logo_detect(file.message_screenshot()).brands[].name | equals | Spotify |
sender.email.domain.root_domain | member | spotify.com |
sender.email.domain.root_domain | member | byspotify.com |
sender.email.domain.root_domain | member | echosign.com |
sender.email.domain.root_domain | member | fromspotify.com |
sender.email.domain.root_domain | member | anchor.fm |
sender.email.domain.domain | member | privaterelay.appleid.com |