Detection rules › Sublime MQL
Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
(
0 < length(body.links) < 8
and any([subject.subject, sender.display_name],
regex.icontains(., "(?:storage|mailbox)")
)
)
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence == "high"
)
and regex.icontains(beta.ocr(file.message_screenshot()).text,
"storage.{0,50}full",
"free.{0,50}upgrade",
"storage.{0,50}details",
"storage.{0,50}quot",
"email.{0,50}storage",
"total.{0,50}storage",
"storage.{0,50}limit",
"cloud.{0,50}update payment",
)
and not strings.ilike(beta.ocr(file.message_screenshot()).text,
"*free plan*"
)
)
or (
any(body.links,
// fingerprints of a hyperlinked image
.display_text is null
and .display_url.url is null
and (
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain == "beehiiv.com"
)
)
and length(attachments) == 1
and all(attachments,
.file_type in $file_types_images
and .size > 2000
and any(file.explode(.),
regex.icontains(.scan.ocr.raw,
"storage.{0,50}full",
"free.{0,50}upgrade",
"storage.{0,50}details",
"storage.{0,50}quot",
"email.{0,50}storage",
"total.{0,50}storage"
)
)
)
)
)
and (
strings.icontains(subject.subject, "exceeded")
or strings.icontains(subject.subject, "out of")
or strings.icontains(subject.subject, "mailbox")
or strings.icontains(subject.subject, "icloud")
or strings.icontains(subject.subject, "all storage used")
or strings.icontains(subject.subject, "compliance")
or strings.icontains(subject.subject, "critical")
or strings.icontains(subject.subject, "problem")
or strings.icontains(subject.subject, "max storage")
or strings.icontains(subject.subject, "be deleted")
or strings.icontains(subject.subject, "action required")
or strings.icontains(subject.subject, "undelivered messages")
or strings.icontains(subject.subject, "review storage")
or strings.icontains(subject.subject, "subscription terminated")
or strings.icontains(subject.subject, "final notice")
or strings.icontains(subject.subject, "data retention")
or strings.icontains(subject.subject, "file deletion")
or regex.icontains(subject.subject, '\bfull\b')
or regex.icontains(subject.subject, '\blimit(?:ed|\b)')
or regex.icontains(subject.subject, "storage (?:space|capacity warning)")
or regex.icontains(subject.subject, '(?:upgrade|\bact\b) (?:today|now)')
or regex.icontains(subject.subject,
'at (?:100|9[0-9](?:\.\d+)?|one[\s-]?hundred) ?(?:percent|%)'
)
)
// negate customer service requests about storage
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Customer Service and Support" and .confidence == "high"
)
// negate links to loopnet.com - a popular commerical property listing service
and not (any(body.links, .href_url.domain.root_domain == "loopnet.com"))
// negate legitimate sharepoint storage alerts
and (
(
sender.email.email == "no-reply@sharepointonline.com"
and not headers.auth_summary.dmarc.pass
and (
not all(body.links,
.href_url.domain.root_domain in~ (
"sharepoint.com",
"microsoft.com",
"aka.ms"
)
)
)
)
or sender.email.email != "no-reply@sharepointonline.com"
)
// negate legitimate iCloud China storage alerts
and (
(
sender.email.email == "noreply@icloud.com.cn"
and not headers.auth_summary.dmarc.pass
and (
not all(body.links,
.href_url.domain.root_domain in~ ("icloud.com", "aka.ms")
)
)
)
or sender.email.email != "noreply@icloud.com.cn"
)
// negate bouncebacks and undeliverables
and not any(attachments,
.content_type in (
"message/global-delivery-status",
"message/delivery-status",
)
or (
.content_type == "message/rfc822"
and any(file.parse_eml(.).attachments,
.content_type in (
"message/global-delivery-status",
"message/delivery-status",
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
Detection logic
Scope: inbound message.
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
- inbound message
any of:
all of:
all of:
- length(body.links) > 0
- length(body.links) < 8
any of
[subject.subject, sender.display_name]where:- . matches '(?:storage|mailbox)'
all of:
any of
ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is 'high'
beta.ocr(file.message_screenshot()).text matches any of 8 patterns
storage.{0,50}fullfree.{0,50}upgradestorage.{0,50}detailsstorage.{0,50}quotemail.{0,50}storagetotal.{0,50}storagestorage.{0,50}limitcloud.{0,50}update payment
not:
- beta.ocr(file.message_screenshot()).text matches '*free plan*'
all of:
any of
body.linkswhere all hold:- .display_text is missing
- .display_url.url is missing
any of:
- .href_url.domain.root_domain in $free_file_hosts
- .href_url.domain.root_domain is 'beehiiv.com'
- length(attachments) is 1
all of
attachmentswhere all hold:- .file_type in $file_types_images
- .size > 2000
any of
file.explode(.)where:.scan.ocr.raw matches any of 6 patterns
storage.{0,50}fullfree.{0,50}upgradestorage.{0,50}detailsstorage.{0,50}quotemail.{0,50}storagetotal.{0,50}storage
any of:
- subject.subject contains 'exceeded'
- subject.subject contains 'out of'
- subject.subject contains 'mailbox'
- subject.subject contains 'icloud'
- subject.subject contains 'all storage used'
- subject.subject contains 'compliance'
- subject.subject contains 'critical'
- subject.subject contains 'problem'
- subject.subject contains 'max storage'
- subject.subject contains 'be deleted'
- subject.subject contains 'action required'
- subject.subject contains 'undelivered messages'
- subject.subject contains 'review storage'
- subject.subject contains 'subscription terminated'
- subject.subject contains 'final notice'
- subject.subject contains 'data retention'
- subject.subject contains 'file deletion'
- subject.subject matches '\\bfull\\b'
- subject.subject matches '\\blimit(?:ed|\\b)'
- subject.subject matches 'storage (?:space|capacity warning)'
- subject.subject matches '(?:upgrade|\\bact\\b) (?:today|now)'
- subject.subject matches 'at (?:100|9[0-9](?:\\.\\d+)?|one[\\s-]?hundred) ?(?:percent|%)'
not:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name is 'Customer Service and Support'
- .confidence is 'high'
not:
any of
body.linkswhere:- .href_url.domain.root_domain is 'loopnet.com'
any of:
all of:
- sender.email.email is 'no-reply@sharepointonline.com'
not:
- headers.auth_summary.dmarc.pass
not:
all of
body.linkswhere:- .href_url.domain.root_domain in ('sharepoint.com', 'microsoft.com', 'aka.ms')
- sender.email.email is not 'no-reply@sharepointonline.com'
any of:
all of:
- sender.email.email is 'noreply@icloud.com.cn'
not:
- headers.auth_summary.dmarc.pass
not:
all of
body.linkswhere:- .href_url.domain.root_domain in ('icloud.com', 'aka.ms')
- sender.email.email is not 'noreply@icloud.com.cn'
not:
any of
attachmentswhere any holds:- .content_type in ('message/global-delivery-status', 'message/delivery-status')
all of:
- .content_type is 'message/rfc822'
any of
file.parse_eml(.).attachmentswhere:- .content_type in ('message/global-delivery-status', 'message/delivery-status')
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
not:
- profile.by_sender().solicited
- profile.by_sender().any_messages_malicious_or_spam
not:
all of:
- sender.email.email is 'analyzer@analyzer.securityeducation.com'
any of
headers.domainswhere:- .root_domain is 'pphosted.com'
- headers.auth_summary.spf.pass
- headers.auth_summary.dmarc.pass
Inspects: attachments[].content_type, attachments[].file_type, attachments[].size, body.current_thread.text, body.links, body.links[].display_text, body.links[].display_url.url, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.domains, headers.domains[].root_domain, sender.display_name, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: beta.ocr, file.explode, file.message_screenshot, file.parse_eml, ml.nlu_classifier, profile.by_sender, regex.icontains, strings.icontains, strings.ilike. Reference lists: $file_types_images, $free_file_hosts, $high_trust_sender_root_domains.
Indicators matched (51)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | (?:storage|mailbox) |
ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents[].name | equals | cred_theft |
ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents[].confidence | equals | high |
regex.icontains | regex | storage.{0,50}full |
regex.icontains | regex | free.{0,50}upgrade |
regex.icontains | regex | storage.{0,50}details |
regex.icontains | regex | storage.{0,50}quot |
regex.icontains | regex | email.{0,50}storage |
regex.icontains | regex | total.{0,50}storage |
regex.icontains | regex | storage.{0,50}limit |
regex.icontains | regex | cloud.{0,50}update payment |
strings.ilike | substring | *free plan* |
39 more
body.links[].href_url.domain.root_domain | equals | beehiiv.com |
strings.icontains | substring | exceeded |
strings.icontains | substring | out of |
strings.icontains | substring | mailbox |
strings.icontains | substring | icloud |
strings.icontains | substring | all storage used |
strings.icontains | substring | compliance |
strings.icontains | substring | critical |
strings.icontains | substring | problem |
strings.icontains | substring | max storage |
strings.icontains | substring | be deleted |
strings.icontains | substring | action required |
strings.icontains | substring | undelivered messages |
strings.icontains | substring | review storage |
strings.icontains | substring | subscription terminated |
strings.icontains | substring | final notice |
strings.icontains | substring | data retention |
strings.icontains | substring | file deletion |
regex.icontains | regex | \bfull\b |
regex.icontains | regex | \blimit(?:ed|\b) |
regex.icontains | regex | storage (?:space|capacity warning) |
regex.icontains | regex | (?:upgrade|\bact\b) (?:today|now) |
regex.icontains | regex | at (?:100|9[0-9](?:\.\d+)?|one[\s-]?hundred) ?(?:percent|%) |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | Customer Service and Support |
ml.nlu_classifier(body.current_thread.text).topics[].confidence | equals | high |
body.links[].href_url.domain.root_domain | equals | loopnet.com |
sender.email.email | equals | no-reply@sharepointonline.com |
body.links[].href_url.domain.root_domain | member | sharepoint.com |
body.links[].href_url.domain.root_domain | member | microsoft.com |
body.links[].href_url.domain.root_domain | member | aka.ms |
sender.email.email | equals | noreply@icloud.com.cn |
body.links[].href_url.domain.root_domain | member | icloud.com |
attachments[].content_type | member | message/global-delivery-status |
attachments[].content_type | member | message/delivery-status |
attachments[].content_type | equals | message/rfc822 |
file.parse_eml(attachments[]).attachments[].content_type | member | message/global-delivery-status |
file.parse_eml(attachments[]).attachments[].content_type | member | message/delivery-status |
sender.email.email | equals | analyzer@analyzer.securityeducation.com |
headers.domains[].root_domain | equals | pphosted.com |