Detection rules › Sublime MQL
Cyrillic vowel substitution in subject or display name from unknown sender
This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Social engineering, Spoofing |
Event coverage
Rule body MQL
type.inbound
// message contains between 1 and 9 links
and (
0 < length(body.links) < 10
or (
length(body.links) == 0
and length(attachments) > 0
and body.current_thread.text == ""
)
)
// display name or subject contains Cyrillic vowels in addition to standard letters
and any([subject.subject, sender.display_name],
regex.icontains(., '(а|е|и|о|у)') and regex.icontains(., '[a-z]')
)
// and the senders tld or return path is not "ru"
and not (
sender.email.domain.tld == "ru" or headers.return_path.domain.tld == "ru"
)
// and the return path is not 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'calendar-server.bounces.google.com'
and not headers.return_path.domain.domain == 'identity-reachout.bounces.google.com'
and not headers.return_path.domain.domain == 'bounce-sg.zoom.us'
and not headers.return_path.domain.domain == 'bounce.dataminr.com'
and not headers.return_path.domain.domain == 'mail-us.atlassian.net'
// the message is unsolicited and no false positives
and (
not profile.by_sender().solicited
or (
length(headers.reply_to) > 0
and all(headers.reply_to, .email.email not in $recipient_emails)
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.
- inbound message
any of:
all of:
- length(body.links) > 0
- length(body.links) < 10
all of:
- length(body.links) is 0
- length(attachments) > 0
- body.current_thread.text is ''
any of
[subject.subject, sender.display_name]where all hold:- . matches '(а|е|и|о|у)'
- . matches '[a-z]'
none of:
- sender.email.domain.tld is 'ru'
- headers.return_path.domain.tld is 'ru'
not:
- headers.return_path.domain.domain is 'calendar-server.bounces.google.com'
not:
- headers.return_path.domain.domain is 'identity-reachout.bounces.google.com'
not:
- headers.return_path.domain.domain is 'bounce-sg.zoom.us'
not:
- headers.return_path.domain.domain is 'bounce.dataminr.com'
not:
- headers.return_path.domain.domain is 'mail-us.atlassian.net'
any of:
not:
- profile.by_sender().solicited
all of:
- length(headers.reply_to) > 0
all of
headers.reply_towhere:- .email.email not in $recipient_emails
not:
- profile.by_sender().any_messages_benign
Inspects: body.current_thread.text, body.links, headers.reply_to, headers.reply_to[].email.email, headers.return_path.domain.domain, headers.return_path.domain.tld, sender.display_name, sender.email.domain.tld, subject.subject, type.inbound. Sensors: profile.by_sender, regex.icontains. Reference lists: $recipient_emails.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
body.current_thread.text | equals | |
regex.icontains | regex | (а|е|и|о|у) |
regex.icontains | regex | [a-z] |
sender.email.domain.tld | equals | ru |
headers.return_path.domain.tld | equals | ru |
headers.return_path.domain.domain | equals | calendar-server.bounces.google.com |
headers.return_path.domain.domain | equals | identity-reachout.bounces.google.com |
headers.return_path.domain.domain | equals | bounce-sg.zoom.us |
headers.return_path.domain.domain | equals | bounce.dataminr.com |
headers.return_path.domain.domain | equals | mail-us.atlassian.net |