Detection rules › Sublime MQL
Link: Apple App Store malicious ad manager themed apps from free email provider
Detects messages containing Apple App Store links with sent from free email providers, indicating potential abuse of legitimate Apple services hosting malicious ad manager themed applications.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, BEC/Fraud, Malware/Ransomware |
| Tactics and techniques | Free email provider, Social engineering, Evasion |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| type |
Rule body MQL
type.inbound
and any(body.current_thread.links,
.href_url.domain.domain in ('apps.apple.com')
and regex.icount(.href_url.path,
'[/-](?:suite|ads?|manager?|campaigns?)'
) >= 2
)
and sender.email.domain.domain in $free_email_providers
Detection logic
Scope: inbound message.
Detects messages containing Apple App Store links with sent from free email providers, indicating potential abuse of legitimate Apple services hosting malicious ad manager themed applications.
- inbound message
any of
body.current_thread.linkswhere all hold:- .href_url.domain.domain in ('apps.apple.com')
- regex.icount(.href_url.path, '[/-](?:suite|ads?|manager?|campaigns?)') ≥ 2
- sender.email.domain.domain in $free_email_providers
Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.domain, body.current_thread.links[].href_url.path, sender.email.domain.domain, type.inbound. Sensors: regex.icount. Reference lists: $free_email_providers.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
body.current_thread.links[].href_url.domain.domain | member | apps.apple.com |
regex.icount | regex | [/-](?:suite|ads?|manager?|campaigns?) |