Detection rules › Sublime MQL
Link: File sharing impersonation with suspicious language and sending patterns
Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Credential Phishing |
| Tactics and techniques | Social engineering, Free subdomain host, Impersonation: Brand |
Event coverage
Rule body MQL
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "File Sharing and Cloud Services" and .confidence != "low"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "cred_theft") and .confidence != "low"
)
and any(body.links,
regex.icontains(.display_text, "document", "download", "message")
and .href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $tranco_1m
and .href_url.domain.root_domain not in $org_domains
and .href_url.domain.valid
// Exclude legitimate document services
and not .href_url.domain.root_domain in $free_file_hosts
)
// suspicious sending/recipient pattern
and 1 of (
(
length(recipients.to) == 1
and recipients.to[0].email.email == sender.email.email
),
any(headers.reply_to,
.email.domain.domain in $free_email_providers
and .email.domain.domain != sender.email.domain.domain
),
(
length(recipients.to) == 1
and length(recipients.cc) == 1
and recipients.to[0].email.email == recipients.cc[0].email.email
),
(
strings.icontains(headers.return_path.local_part, "+SRS=")
or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
or any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
'+SRS='
)
)
),
// No recipients visible
(
length(recipients.to) == 0
or (
all(recipients.to, .email.domain.valid == false)
and all(recipients.cc, .email.domain.valid == false)
)
)
and length(recipients.cc) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Detection logic
Scope: inbound message.
Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization.
- inbound message
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name is 'File Sharing and Cloud Services'
- .confidence is not 'low'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name in ('bec', 'cred_theft')
- .confidence is not 'low'
any of
body.linkswhere all hold:.display_text matches any of 3 patterns
documentdownloadmessage
- .href_url.domain.root_domain is not sender.email.domain.root_domain
- .href_url.domain.root_domain not in $tranco_1m
- .href_url.domain.root_domain not in $org_domains
- .href_url.domain.valid
not:
- .href_url.domain.root_domain in $free_file_hosts
at least 1 of:
all of:
- length(recipients.to) is 1
- recipients.to[0].email.email is sender.email.email
any of
headers.reply_towhere all hold:- .email.domain.domain in $free_email_providers
- .email.domain.domain is not sender.email.domain.domain
all of:
- length(recipients.to) is 1
- length(recipients.cc) is 1
- recipients.to[0].email.email is recipients.cc[0].email.email
any of:
- headers.return_path.local_part contains '+SRS='
- headers.auth_summary.spf.details.designator contains '+SRS='
any of
headers.hopswhere:- .authentication_results.spf_details.designator contains '+SRS='
all of:
any of:
- length(recipients.to) is 0
all of:
all of
recipients.towhere:- .email.domain.valid is False
all of
recipients.ccwhere:- .email.domain.valid is False
- length(recipients.cc) is 0
not:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- coalesce(headers.auth_summary.dmarc.pass)
Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.valid, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.details.designator, headers.hops, headers.hops[].authentication_results.spf_details.designator, headers.reply_to, headers.reply_to[].email.domain.domain, headers.return_path.local_part, recipients.cc, recipients.cc[0].email.email, recipients.cc[].email.domain.valid, recipients.to, recipients.to[0].email.email, recipients.to[].email.domain.valid, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.icontains. Reference lists: $free_email_providers, $free_file_hosts, $high_trust_sender_root_domains, $org_domains, $tranco_1m.
Indicators matched (7)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | File Sharing and Cloud Services |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | bec |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | cred_theft |
regex.icontains | regex | document |
regex.icontains | regex | download |
regex.icontains | regex | message |
strings.icontains | substring | +SRS= |