Detection rules › Sublime MQL
Catbox.moe link from untrusted source
Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Free file host, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.root_domain == "catbox.moe"
and not strings.iends_with(.href_url.path, ".json")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.root_domain is 'catbox.moe'
not:
- .href_url.path ends with '.json'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- coalesce(headers.auth_summary.dmarc.pass)
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.path, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: strings.iends_with. Reference lists: $high_trust_sender_root_domains.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.root_domain | equals | catbox.moe |
strings.iends_with | suffix | .json |