detection.wiki

Detection rules › Sublime MQL

Link: Financial account issue with suspicious indicators

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages to single recipients containing language about account or payment issues combined with suspicious links or high-confidence credential theft indicators related to financial communications.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree file host, Free subdomain host, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers.auth_summary
recipients
sender.email
type

Rule body MQL

type.inbound
// single recipient
and length(recipients.to) == 1
// problem phrase commonly observed in lures
and regex.icontains(body.current_thread.text,
                    '(?:issue|problem) with your.{0,20}(?:card|account|renewal|payment|billing)'
)
// link is suspicious for one reason or another
and any(body.links,
        (
          .href_url.domain.domain in $url_shorteners
          or .href_url.domain.root_domain in $url_shorteners
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $free_subdomain_hosts
          or .href_url.domain.root_domain in $self_service_creation_platform_domains
          or .href_url.domain.domain in $self_service_creation_platform_domains
          or .href_url.domain.tld in $suspicious_tlds
          or network.whois(.href_url.domain).days_old < 30
          or .href_url.domain.root_domain == 'sa.com'
        )
        and not .href_url.domain.root_domain in (
          'app.link',
          'sng.link',
          'onelink.me'
        )
        // no campaigns
        and not regex.icontains(.href_url.url,
                                '&utm_(?:campaign|medium|source)'
        )
)

// high confidence cred theft with a topic of either financial or payment comms
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence == 'high'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Financial Communications", "Payment Information")
        and .confidence == 'high'
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Detects messages to single recipients containing language about account or payment issues combined with suspicious links or high-confidence credential theft indicators related to financial communications.

  1. inbound message
  2. length(recipients.to) is 1
  3. body.current_thread.text matches '(?:issue|problem) with your.{0,20}(?:card|account|renewal|payment|billing)'
  4. any of body.links where all hold:
    • any of:
      • .href_url.domain.domain in $url_shorteners
      • .href_url.domain.root_domain in $url_shorteners
      • .href_url.domain.root_domain in $free_file_hosts
      • .href_url.domain.domain in $free_file_hosts
      • .href_url.domain.root_domain in $free_subdomain_hosts
      • .href_url.domain.domain in $free_subdomain_hosts
      • .href_url.domain.root_domain in $self_service_creation_platform_domains
      • .href_url.domain.domain in $self_service_creation_platform_domains
      • .href_url.domain.tld in $suspicious_tlds
      • network.whois(.href_url.domain).days_old < 30
      • .href_url.domain.root_domain is 'sa.com'
    • not:
      • .href_url.domain.root_domain in ('app.link', 'sng.link', 'onelink.me')
    • not:
      • .href_url.url matches '&utm_(?:campaign|medium|source)'
  5. any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    • .name is 'cred_theft'
    • .confidence is 'high'
  6. any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
    • .name in ('Financial Communications', 'Payment Information')
    • .confidence is 'high'
  7. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • coalesce(headers.auth_summary.dmarc.pass)
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.tld, body.links[].href_url.url, headers.auth_summary.dmarc.pass, recipients.to, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, network.whois, regex.icontains. Reference lists: $free_file_hosts, $free_subdomain_hosts, $high_trust_sender_root_domains, $self_service_creation_platform_domains, $suspicious_tlds, $url_shorteners.

Indicators matched (11)

FieldMatchValue
regex.icontainsregex(?:issue|problem) with your.{0,20}(?:card|account|renewal|payment|billing)
body.links[].href_url.domain.root_domainequalssa.com
body.links[].href_url.domain.root_domainmemberapp.link
body.links[].href_url.domain.root_domainmembersng.link
body.links[].href_url.domain.root_domainmemberonelink.me
regex.icontainsregex&utm_(?:campaign|medium|source)
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
ml.nlu_classifier(body.current_thread.text).topics[].namememberFinancial Communications
ml.nlu_classifier(body.current_thread.text).topics[].namememberPayment Information
ml.nlu_classifier(body.current_thread.text).topics[].confidenceequalshigh