detection.wiki

Detection rules › Sublime MQL

Link: URL shortener with copy-paste instructions and credential theft language

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Social engineering

Event coverage

Message attribute
body.current_thread
recipients
recipients.to (collection)
sender.email
type

Rule body MQL

type.inbound
and length(body.current_thread.links) > 0
and all(body.current_thread.links,
        .href_url.domain.root_domain in $url_shorteners
)
and (
  strings.icontains(body.current_thread.text, 'copy')
  and (
    strings.icontains(body.current_thread.text, 'pasting')
    or strings.icontains(body.current_thread.text, 'paste')
  )
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence == 'high'
)
and (
  // self sender
  (
    length(recipients.to) == 1
    and sender.email.email == recipients.to[0].email.email
  )
  // or the sender is all undisclosed or there is no recipients
  or (
    length(recipients.to) == 0
    or all(recipients.to, .email.domain.valid == false)
  )
)
// negate display urls that match the sender root domain
and not any(body.current_thread.links,
            .display_url.domain.root_domain == sender.email.domain.root_domain
)

Detection logic

Scope: inbound message.

Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry.

  1. inbound message
  2. length(body.current_thread.links) > 0
  3. all of body.current_thread.links where:
    • .href_url.domain.root_domain in $url_shorteners
  4. all of:
    • body.current_thread.text contains 'copy'
    • any of:
      • body.current_thread.text contains 'pasting'
      • body.current_thread.text contains 'paste'
  5. any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    • .name is 'cred_theft'
    • .confidence is 'high'
  6. any of:
    • all of:
      • length(recipients.to) is 1
      • sender.email.email is recipients.to[0].email.email
    • any of:
      • length(recipients.to) is 0
      • all of recipients.to where:
        • .email.domain.valid is False
  7. not:
    • any of body.current_thread.links where:
      • .display_url.domain.root_domain is sender.email.domain.root_domain

Inspects: body.current_thread.links, body.current_thread.links[].display_url.domain.root_domain, body.current_thread.links[].href_url.domain.root_domain, body.current_thread.text, recipients.to, recipients.to[0].email.email, recipients.to[].email.domain.valid, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, strings.icontains. Reference lists: $url_shorteners.

Indicators matched (5)

FieldMatchValue
strings.icontainssubstringcopy
strings.icontainssubstringpasting
strings.icontainssubstringpaste
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh