detection.wiki

Detection rules › Sublime MQL

Credential phishing: Engaging language with IPFS link

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree file host, Free subdomain host, IPFS

Event coverage

Message attribute
body
body.current_thread
body.html
type

Rule body MQL

type.inbound
and strings.ilike(body.html.display_text, "*expir*")
and strings.ilike(body.html.display_text, "*password*")
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft"
)
and any(body.links,
        strings.icontains(ml.link_analysis(.).effective_url.url, 'ipfs')
        or (
          regex.icontains(ml.link_analysis(.).effective_url.path,
                          '[\.-/]ipfs|ipfs[\.-/]'
          )
          and ml.link_analysis(.).effective_url.domain.domain not in $org_domains
          and (
            (
              // don't include high rep domains
              ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
              and ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
            )
            // if it's in Tranco or Umbrella, still include it if it's one of these
            or ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
            or ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
            or ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
          )
        )
)

Detection logic

Scope: inbound message.

Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.

  1. inbound message
  2. body.html.display_text matches '*expir*'
  3. body.html.display_text matches '*password*'
  4. any of ml.nlu_classifier(body.current_thread.text).intents where:
    • .name is 'cred_theft'
  5. any of body.links where any holds:
    • ml.link_analysis(.).effective_url.url contains 'ipfs'
    • all of:
      • ml.link_analysis(.).effective_url.path matches '[\\.-/]ipfs|ipfs[\\.-/]'
      • ml.link_analysis(.).effective_url.domain.domain not in $org_domains
      • any of:
        • all of:
          • ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
          • ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
        • ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
        • ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
        • ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts

Inspects: body.current_thread.text, body.html.display_text, body.links, type.inbound. Sensors: ml.link_analysis, ml.nlu_classifier, regex.icontains, strings.icontains, strings.ilike. Reference lists: $free_file_hosts, $free_subdomain_hosts, $org_domains, $tranco_1m, $umbrella_1m.

Indicators matched (5)

FieldMatchValue
strings.ilikesubstring*expir*
strings.ilikesubstring*password*
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
strings.icontainssubstringipfs
regex.icontainsregex[\.-/]ipfs|ipfs[\.-/]