Detection rules › Sublime MQL
Brand impersonation: ukr[.]net
Impersonation of ukr[.]net. Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| sender |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and (
(
// technique
strings.ilike(sender.display_name, "ukr*net")
and sender.email.domain.root_domain != "ukr.net"
)
or (
// IOCs
subject.subject == "Увага"
and (
sender.email.email in (
"muthuprakash.b@tvsrubber.com",
"rakesh.ict@msruas.ac.in",
"omars@salecharter.net",
"citi.in.pm@xerago.com",
"qs@gsengint.com",
"sec.ls@msruas.ac.in",
"vaishnavi.kj@tvsrubber.com",
"nshcorp@nshcorp.in",
"purchase2@hitechelastomers.com",
"productionbelgavi@hodekindia.com",
"narayanababu.py.ph@msruas.ac.in",
"roopa.tsld@msruas.ac.in",
"in-nonciti.basupport@xerago.com",
"info@empiink.com",
"pooja.fa@msruas.ac.in",
"babu.d@tvsrubber.com",
"systeam@xerago.com",
"dean.ds@msruas.ac.in",
)
or any(body.links, .href_url.domain.domain == "consumerspanel.frge.io")
)
)
)
Detection logic
Scope: inbound message.
Impersonation of ukr[.]net. Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."
- inbound message
any of:
all of:
- sender.display_name matches 'ukr*net'
- sender.email.domain.root_domain is not 'ukr.net'
all of:
- subject.subject is 'Увага'
any of:
- sender.email.email in ('muthuprakash.b@tvsrubber.com', 'rakesh.ict@msruas.ac.in', 'omars@salecharter.net', 'citi.in.pm@xerago.com', 'qs@gsengint.com', 'sec.ls@msruas.ac.in', 'vaishnavi.kj@tvsrubber.com', 'nshcorp@nshcorp.in', 'purchase2@hitechelastomers.com', 'productionbelgavi@hodekindia.com', 'narayanababu.py.ph@msruas.ac.in', 'roopa.tsld@msruas.ac.in', 'in-nonciti.basupport@xerago.com', 'info@empiink.com', 'pooja.fa@msruas.ac.in', 'babu.d@tvsrubber.com', 'systeam@xerago.com', 'dean.ds@msruas.ac.in')
any of
body.linkswhere:- .href_url.domain.domain is 'consumerspanel.frge.io'
Inspects: body.links, body.links[].href_url.domain.domain, sender.display_name, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: strings.ilike.
Indicators matched (21)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | ukr*net |
subject.subject | equals | Увага |
sender.email.email | member | muthuprakash.b@tvsrubber.com |
sender.email.email | member | rakesh.ict@msruas.ac.in |
sender.email.email | member | omars@salecharter.net |
sender.email.email | member | citi.in.pm@xerago.com |
sender.email.email | member | qs@gsengint.com |
sender.email.email | member | sec.ls@msruas.ac.in |
sender.email.email | member | vaishnavi.kj@tvsrubber.com |
sender.email.email | member | nshcorp@nshcorp.in |
sender.email.email | member | purchase2@hitechelastomers.com |
sender.email.email | member | productionbelgavi@hodekindia.com |
9 more
sender.email.email | member | narayanababu.py.ph@msruas.ac.in |
sender.email.email | member | roopa.tsld@msruas.ac.in |
sender.email.email | member | in-nonciti.basupport@xerago.com |
sender.email.email | member | info@empiink.com |
sender.email.email | member | pooja.fa@msruas.ac.in |
sender.email.email | member | babu.d@tvsrubber.com |
sender.email.email | member | systeam@xerago.com |
sender.email.email | member | dean.ds@msruas.ac.in |
body.links[].href_url.domain.domain | equals | consumerspanel.frge.io |