Detection rules › Sublime MQL
Issuu document with suspicious embedded link
Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Free file host, Evasion |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.root_domain == "issuu.com"
and .href_url.query_params == "fr=xKAE9_zU1NQ" // opens the document full screen
// suspicious link in the Issuu document
and (
any(filter(ml.link_analysis(., mode="aggressive").additional_responses,
strings.icontains(.url.path, "/links/")
),
// less than 3 links in the Issuu document
length(.json["1"]) < 3
and any(.json["1"],
strings.parse_url(.["url"]).domain.tld in $suspicious_tlds
or strings.parse_url(.["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.["url"]).domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(strings.parse_url(.["url"])).credphish.disposition == "phishing"
)
)
// or, credential phishing language on the page
or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
mode="aggressive"
).screenshot
).text
).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and not profile.by_sender_email().any_messages_benign
Detection logic
Scope: inbound message.
Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns.
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.root_domain is 'issuu.com'
- .href_url.query_params is 'fr=xKAE9_zU1NQ'
any of:
any of
filter(...)where all hold:- length(.json['1']) < 3
any of
.json['1']where any holds:- strings.parse_url(.['url']).domain.tld in $suspicious_tlds
- strings.parse_url(.['url']).domain.domain in $free_subdomain_hosts
- strings.parse_url(.['url']).domain.root_domain in $free_subdomain_hosts
- ml.link_analysis(strings.parse_url(.['url'])).credphish.disposition is 'phishing'
any of
ml.nlu_classifier(beta.ocr(ml.link_analysis(., mode='aggressive').screenshot).text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is not 'low'
not:
- profile.by_sender_email().any_messages_benign
Inspects: body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.query_params, type.inbound. Sensors: beta.ocr, ml.link_analysis, ml.nlu_classifier, profile.by_sender_email, strings.icontains, strings.parse_url. Reference lists: $free_subdomain_hosts, $suspicious_tlds.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.root_domain | equals | issuu.com |
body.links[].href_url.query_params | equals | fr=xKAE9_zU1NQ |
strings.icontains | substring | /links/ |
ml.nlu_classifier(beta.ocr(ml.link_analysis(body.links[], mode='aggressive').screenshot).text).intents[].name | equals | cred_theft |