Detection rules › Sublime MQL
Brand impersonation: Coinbase with suspicious links
Detects messages impersonating Coinbase with low reputation or url shortened links.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Free subdomain host, Image as content, Impersonation: Brand |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| body |
| body.links (collection) |
| sender.email |
| type |
Rule body MQL
type.inbound
and sender.email.domain.root_domain != "coinbase.com"
// more than 0 less than 5 links
and 0 < length(body.links) < 5
// none of the links are to coinbase.com
and all(body.links, .href_url.domain.root_domain != "coinbase.com")
// low rep or url shortened links found
and any(body.links,
.href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
// exempting legitimate Google Maps shortener
and (
not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
or (
.href_url.domain.domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or
// mass mailer link, masks the actual URL
.href_url.domain.root_domain in (
"hubspotlinks.com",
"mandrillapp.com",
"sendgrid.net",
)
)
)
)
// Coinbase logo
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, .name == "Coinbase")
)
or any(ml.logo_detect(file.message_screenshot()).brands, .name == "Coinbase")
)
Detection logic
Scope: inbound message.
Detects messages impersonating Coinbase with low reputation or url shortened links.
- inbound message
- sender.email.domain.root_domain is not 'coinbase.com'
all of:
- length(body.links) > 0
- length(body.links) < 5
all of
body.linkswhere:- .href_url.domain.root_domain is not 'coinbase.com'
any of
body.linkswhere any holds:- .href_url.domain.domain in $url_shorteners
all of:
- .href_url.domain.domain in $social_landing_hosts
any of:
not:
- .href_url.url matches 'http?://goo.gl/maps*'
any of:
- .href_url.domain.domain not in $tranco_1m
- .href_url.domain.domain in $free_file_hosts
- .href_url.domain.root_domain in $free_file_hosts
- .href_url.domain.root_domain in $free_subdomain_hosts
- .href_url.domain.domain in $url_shorteners
- .href_url.domain.domain in $social_landing_hosts
- .href_url.domain.root_domain in ('hubspotlinks.com', 'mandrillapp.com', 'sendgrid.net')
any of:
any of
attachmentswhere all hold:- .file_type in $file_types_images
any of
ml.logo_detect(.).brandswhere:- .name is 'Coinbase'
any of
ml.logo_detect(file.message_screenshot()).brandswhere:- .name is 'Coinbase'
Inspects: attachments[].file_type, body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.url, sender.email.domain.root_domain, type.inbound. Sensors: file.message_screenshot, ml.logo_detect, strings.ilike. Reference lists: $file_types_images, $free_file_hosts, $free_subdomain_hosts, $social_landing_hosts, $tranco_1m, $url_shorteners.
Indicators matched (6)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | http?://goo.gl/maps* |
body.links[].href_url.domain.root_domain | member | hubspotlinks.com |
body.links[].href_url.domain.root_domain | member | mandrillapp.com |
body.links[].href_url.domain.root_domain | member | sendgrid.net |
ml.logo_detect(attachments[]).brands[].name | equals | Coinbase |
ml.logo_detect(file.message_screenshot()).brands[].name | equals | Coinbase |