Detection rules › Sublime MQL
Brand impersonation: Cloud services with credential theft intent
Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
any([body.current_thread.text, body.html.inner_text],
strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+ ")
)
// cloud emoji
or regex.contains(body.current_thread.text, '^\x{2601}')
or regex.icontains(body.current_thread.text, '^!\s*Cloud storage')
// address in the body
or strings.icontains(body.current_thread.text,
'4563 Cloud Way, Server City, CA'
)
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == 'cred_theft' and .confidence == 'high'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
'File Sharing and Cloud Services',
'Payment Information',
'Financial Communications'
)
and .confidence != 'low'
)
// sender domain matches no body domains
and length(filter(body.links,
.href_url.scheme != 'mailto'
and .href_url.domain.root_domain is not null
and .href_url.domain.root_domain != 'oracle.com'
)
) > 0
and all(filter(body.links,
.href_url.scheme != 'mailto'
and .href_url.domain.root_domain is not null
),
.href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
""
)
)
// negate legit cloud companies
and not (
coalesce(sender.email.domain.root_domain, "") in (
"cloud-cme.com",
"cloudcounting.online",
"cloudhealthtech.com",
"cloudpano.com"
)
// check for SPF or DMARC passed
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// negate Spark Cloud Attachments
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Readdle-Spark-Cloud-Attachment"
and .value is not null
)
)
and not (
sender.email.email == "noreply@icloud.com.cn"
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Detection logic
Scope: inbound message.
Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.
- inbound message
any of:
any of
[body.current_thread.text, body.html.inner_text]where any holds:- . starts with 'Cloud'
- . contains 'Cloud+ '
- body.current_thread.text matches '^\\x{2601}'
- body.current_thread.text matches '^!\\s*Cloud storage'
- body.current_thread.text contains '4563 Cloud Way, Server City, CA'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is 'high'
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name in ('File Sharing and Cloud Services', 'Payment Information', 'Financial Communications')
- .confidence is not 'low'
- length(filter(body.links, .href_url.scheme != 'mailto' and .href_url.domain.root_domain is not null and .href_url.domain.root_domain != 'oracle.com')) > 0
all of
filter(body.links)where:- .href_url.domain.root_domain is not coalesce(sender.email.domain.root_domain, '')
not:
all of:
- coalesce(sender.email.domain.root_domain, '') in ('cloud-cme.com', 'cloudcounting.online', 'cloudhealthtech.com', 'cloudpano.com')
any of:
- headers.auth_summary.spf.pass
- headers.auth_summary.dmarc.pass
not:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- coalesce(headers.auth_summary.dmarc.pass)
not:
any of
headers.hopswhere all hold:- .index is 0
any of
.fieldswhere all hold:- .name is 'X-Readdle-Spark-Cloud-Attachment'
- .value is set
not:
all of:
- sender.email.email is 'noreply@icloud.com.cn'
- coalesce(headers.auth_summary.dmarc.pass)
Inspects: body.current_thread.text, body.html.inner_text, body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.scheme, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, headers.hops[].index, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, regex.contains, regex.icontains, strings.icontains, strings.starts_with. Reference lists: $high_trust_sender_root_domains.
Indicators matched (12)
| Field | Match | Value |
|---|---|---|
strings.starts_with | prefix | Cloud |
strings.icontains | substring | Cloud+ |
regex.contains | regex | ^\x{2601} |
regex.icontains | regex | ^!\s*Cloud storage |
strings.icontains | substring | 4563 Cloud Way, Server City, CA |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | File Sharing and Cloud Services |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Payment Information |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Financial Communications |
headers.hops[].fields[].name | equals | X-Readdle-Spark-Cloud-Attachment |
sender.email.email | equals | noreply@icloud.com.cn |