Detection rules › Sublime MQL
Credential phishing language and suspicious indicators (unknown sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Free email provider, Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// embedded in an image attachment
// note: don't use message_screenshot()
// because it's not limited to current_thread and may FP
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
)
and 4 of (
// impersonation of the recipient's domain or email address
// in the subject to make it look more personalized
any(recipients.to,
(
strings.icontains(subject.subject, .email.local_part)
or strings.icontains(subject.subject, .email.domain.sld)
)
and (
.email.domain.valid or strings.icontains(.display_name, "undisclosed")
)
),
// recipient's email address in the body. this is not very uncommon
// for legit credential themed messages either
any(recipients.to,
(.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
and strings.icontains(body.current_thread.text, .email.email)
),
( // page contains turnstile captcha
any(body.links,
strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'https://challenges.cloudflare.com/turnstile/',
)
)
),
(
// freemail providers should never be sending this type of email
sender.email.domain.domain in $free_email_providers
// if not freemail, it's suspicious if the sender's root domain
// doesn't match any links in the body
or (
length(body.links) > 0
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
)
),
strings.contains(body.current_thread.text,
"Your mailbox can no longer send or receive messages."
),
// link redirects to a suspicious TLD
any(body.links,
any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
),
(
// suspicious redirects
// 3 or more different domains with 2 or more different TLDs
// careful because click trackers will always make this at least 2
// different domains and not unlikely 2 or more TLDs
any(body.links,
length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld
)
)
) >= 2
and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.domain
)
)
) >= 3
)
),
// maybe: any brand logo with high confidence
// maybe: recipients BCCd or undisclosed
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negating Google Calendar invites
and (
(
(
length(attachments) > 0
and not all(attachments,
.content_type in ("text/calendar", "application/ics")
)
)
and not (
any(distinct(headers.hops, .authentication_results.dmarc is null),
strings.ilike(.authentication_results.dmarc, "*pass")
and strings.ilike(.authentication_results.spf_details.designator,
"*calendar-server.bounces.google.com"
)
)
)
)
or length(attachments) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
- inbound message
any of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence in ('medium', 'high')
any of
attachmentswhere all hold:- .file_type in $file_types_images
any of
file.explode(.)where:any of
ml.nlu_classifier(.scan.ocr.raw).intentswhere all hold:- .name is 'cred_theft'
- .confidence is 'high'
at least 4 of:
any of
recipients.towhere all hold:any of:
- strings.icontains(subject.subject)
- strings.icontains(subject.subject)
any of:
- .email.domain.valid
- .display_name contains 'undisclosed'
any of
recipients.towhere all hold:any of:
- .email.domain.valid
- .display_name contains 'undisclosed'
- strings.icontains(body.current_thread.text)
any of
body.linkswhere:- ml.link_analysis(., mode='aggressive').final_dom.raw contains 'https://challenges.cloudflare.com/turnstile/'
any of:
- sender.email.domain.domain in $free_email_providers
all of:
- length(body.links) > 0
all of
body.linkswhere:- .href_url.domain.root_domain is not sender.email.domain.root_domain
- body.current_thread.text contains 'Your mailbox can no longer send or receive messages.'
any of
body.linkswhere:any of
ml.link_analysis(., mode='aggressive').redirect_historywhere:- .domain.tld in $suspicious_tlds
any of
body.linkswhere all hold:- length(distinct(map(ml.link_analysis(., mode='aggressive').redirect_history, .domain.tld))) ≥ 2
- length(distinct(map(ml.link_analysis(., mode='aggressive').redirect_history, .domain.domain))) ≥ 3
any of:
all of:
- profile.by_sender().prevalence in ('new', 'outlier')
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
any of:
all of:
all of:
- length(attachments) > 0
not:
all of
attachmentswhere:- .content_type in ('text/calendar', 'application/ics')
not:
any of
distinct(headers.hops)where all hold:- .authentication_results.dmarc matches '*pass'
- .authentication_results.spf_details.designator matches '*calendar-server.bounces.google.com'
- length(attachments) is 0
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: attachments[].content_type, attachments[].file_type, body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].authentication_results.dmarc, recipients.to, recipients.to[].display_name, recipients.to[].email.domain.sld, recipients.to[].email.domain.valid, recipients.to[].email.email, recipients.to[].email.local_part, sender.email.domain.domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: file.explode, ml.link_analysis, ml.nlu_classifier, profile.by_sender, strings.contains, strings.icontains, strings.ilike. Reference lists: $file_types_images, $free_email_providers, $high_trust_sender_root_domains, $suspicious_tlds.
Indicators matched (12)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | medium |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | high |
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].name | equals | cred_theft |
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].confidence | equals | high |
strings.icontains | substring | undisclosed |
strings.icontains | substring | https://challenges.cloudflare.com/turnstile/ |
strings.contains | substring | Your mailbox can no longer send or receive messages. |
attachments[].content_type | member | text/calendar |
attachments[].content_type | member | application/ics |
strings.ilike | substring | *pass |
strings.ilike | substring | *calendar-server.bounces.google.com |