detection.wiki

Detection rules › Sublime MQL

VIP impersonation with BEC language (near match, untrusted sender)

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Sender is using a display name that matches the display name of someone in your $org_vips list. Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesImpersonation: VIP, Social engineering

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.auth_summary
headers.reply_to (collection)
sender
sender.email
type

Rule body MQL

type.inbound
and any($org_vips,
        0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "bec" and .confidence in ("medium", "high")
)
and (
  (
    profile.by_sender().prevalence != "common"
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  or profile.by_sender().days_since.last_outbound > 365
)
// negate sharepoint notifications originating from within the org
and not (
  sender.email.email in ('no-reply@sharepointonline.com')
  and length(headers.reply_to) > 0
  and all(headers.reply_to, .email.domain.root_domain in $org_domains)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

Sender is using a display name that matches the display name of someone in your $org_vips list. Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

  1. inbound message
  2. any of $org_vips where all hold:
    • strings.ilevenshtein(sender.display_name) ≥ 0
    • strings.ilevenshtein(sender.display_name) < 4
  3. any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    • .name is 'bec'
    • .confidence in ('medium', 'high')
  4. any of:
    • all of:
      • profile.by_sender().prevalence is not 'common'
      • not:
        • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
    • profile.by_sender().days_since.last_outbound > 365
  5. not:
    • all of:
      • sender.email.email in ('no-reply@sharepointonline.com')
      • length(headers.reply_to) > 0
      • all of headers.reply_to where:
        • .email.domain.root_domain in $org_domains
  6. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  7. not:
    • profile.by_sender().any_messages_benign

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.reply_to, headers.reply_to[].email.domain.root_domain, sender.display_name, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, strings.ilevenshtein. Reference lists: $high_trust_sender_root_domains, $org_domains, $org_vips.

Indicators matched (4)

FieldMatchValue
ml.nlu_classifier(body.current_thread.text).intents[].nameequalsbec
ml.nlu_classifier(body.current_thread.text).intents[].confidencemembermedium
ml.nlu_classifier(body.current_thread.text).intents[].confidencememberhigh
sender.email.emailmemberno-reply@sharepointonline.com