Detection rules › Sublime MQL
Link: /index.php enclosed in three asterisks
Detects messages containing a specific pattern of triple asterisks surrounding HTTP links that point to PHP index pages with query parameters, indicating potential malicious behavior. This specific pattern has been observed within messages leading to FakeAV/Tech Support scams.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware, Callback Phishing |
| Tactics and techniques | Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| type |
Rule body MQL
type.inbound
and strings.count(body.current_thread.text, '* * *') == 2
and strings.contains(body.current_thread.text, ': http')
and strings.contains(body.current_thread.text, '/index.php?')
and regex.icontains(body.current_thread.text,
'\* \* \*(?:[^\r\n]+|[\r\n][^\r\n]*): https?:\/\/.*\/index\.php\?[a-z0-9]+(?:[^\r\n]+|[\r\n][^\r\n]*)\* \* \*'
)
Detection logic
Scope: inbound message.
Detects messages containing a specific pattern of triple asterisks surrounding HTTP links that point to PHP index pages with query parameters, indicating potential malicious behavior. This specific pattern has been observed within messages leading to FakeAV/Tech Support scams.
- inbound message
- strings.count(body.current_thread.text, '* * *') is 2
- body.current_thread.text contains ': http'
- body.current_thread.text contains '/index.php?'
- body.current_thread.text matches '\\* \\* \\*(?:[^\\r\\n]+|[\\r\\n][^\\r\\n]*): https?:\\/\\/.*\\/index\\.php\\?[a-z0-9]+(?:[^\\r\\n]+|[\\r\\n][^\\r\\n]*)\\* \\* \\*'
Inspects: body.current_thread.text, type.inbound. Sensors: regex.icontains, strings.contains, strings.count.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
strings.contains | substring | : http |
strings.contains | substring | /index.php? |
regex.icontains | regex | \* \* \*(?:[^\r\n]+|[\r\n][^\r\n]*): https?:\/\/.*\/index\.php\?[a-z0-9]+(?:[^\r\n]+|[\r\n][^\r\n]*)\* \* \* |