detection.wiki

Detection rules › Sublime MQL

Commonly abused sender TLD with engaging language

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesSocial engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.links (collection)
headers.auth_summary
recipients
recipients.to (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound

// we don't do a suspicious link check here
// because we are seeing abuse of mass marketing tools
// like campaign[.]adobe[.]com
// once we roll out better support for unfurling those,
// we can update this logic
and length(body.links) > 0

// commonly abused sender TLD
and strings.ilike(sender.email.domain.tld, "*.jp")
and 3 of (
  // language attempting to engage
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),

  // financial request
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  ),

  // urgency request
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),

  // known suspicious pattern in the URL path
  any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),

  // suspicious image that's most likely cred_theft
  any(attachments,
      .file_type in $file_types_images
      and any(file.explode(.),
              any(ml.nlu_classifier(.scan.ocr.raw).intents,
                  .name == "cred_theft"
              )
              or any(ml.nlu_classifier(.scan.ocr.raw).entities,
                     .name == "financial"
              )
      )
  ),

  // recipient's SLD is in the sender's display name
  any(recipients.to,
      strings.icontains(sender.display_name, .email.domain.sld)
      and (
        .email.domain.valid or strings.icontains(.display_name, "undisclosed")
      )
  ),

  // recipient's email address in the subject
  any(recipients.to,
      strings.icontains(subject.subject, .email.email)
      and (
        .email.domain.valid or strings.icontains(.display_name, "undisclosed")
      )
  ),
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not sender.email.domain.root_domain in ("amazon.co.jp")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.

  1. inbound message
  2. length(body.links) > 0
  3. sender.email.domain.tld matches '*.jp'
  4. at least 3 of:
    • any of ml.nlu_classifier(body.current_thread.text).entities where:
      • .name is 'request'
    • any of ml.nlu_classifier(body.current_thread.text).entities where:
      • .name is 'financial'
    • any of ml.nlu_classifier(body.current_thread.text).entities where:
      • .name is 'urgency'
    • any of body.links where:
      • .href_url.path matches '\\/[a-z]{3}\\d[a-z]'
    • any of attachments where all hold:
      • .file_type in $file_types_images
      • any of file.explode(.) where any holds:
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where:
          • .name is 'cred_theft'
        • any of ml.nlu_classifier(.scan.ocr.raw).entities where:
          • .name is 'financial'
    • any of recipients.to where all hold:
      • strings.icontains(sender.display_name)
      • any of:
        • .email.domain.valid
        • .display_name contains 'undisclosed'
    • any of recipients.to where all hold:
      • strings.icontains(subject.subject)
      • any of:
        • .email.domain.valid
        • .display_name contains 'undisclosed'
  5. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  6. not:
    • sender.email.domain.root_domain in ('amazon.co.jp')
  7. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: attachments[].file_type, body.current_thread.text, body.links, body.links[].href_url.path, headers.auth_summary.dmarc.pass, recipients.to, recipients.to[].display_name, recipients.to[].email.domain.sld, recipients.to[].email.domain.valid, recipients.to[].email.email, sender.display_name, sender.email.domain.root_domain, sender.email.domain.tld, subject.subject, type.inbound. Sensors: file.explode, ml.nlu_classifier, profile.by_sender, regex.match, strings.icontains, strings.ilike. Reference lists: $file_types_images, $high_trust_sender_root_domains.

Indicators matched (9)

FieldMatchValue
strings.ilikesubstring*.jp
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsrequest
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsfinancial
ml.nlu_classifier(body.current_thread.text).entities[].nameequalsurgency
regex.matchregex\/[a-z]{3}\d[a-z]
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].nameequalscred_theft
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).entities[].nameequalsfinancial
strings.icontainssubstringundisclosed
sender.email.domain.root_domainmemberamazon.co.jp