Detection rules › Sublime MQL
Link: Suspicious Family fragment parameter with encoded recipient data
Detects messages containing links with URL fragments that include 'Family' parameters containing base64 or hex encoded email addresses, which may indicate personalized malicious content targeting specific recipients.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Encryption, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and any(body.links,
// contains family
regex.icontains(.href_url.fragment, 'Fa(?:m|rn)ily=')
// the href_url contains a valid baes64 encoded email
and (
any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
strings.parse_email(.).domain.valid
// double base64 encoded.. yup
or any(strings.scan_base64(., ignore_padding=true),
strings.parse_email(.).domain.valid
)
)
or any(regex.iextract(.href_url.fragment,
'Fa(?:m|rn)ily=$?(?P<email_addy>[^&]+)'
),
// plain text email addresses
strings.parse_email(.named_groups["email_addy"]).domain.valid
// observed hex encoded email address in addition to the base64 encoded ones
or (
strings.icontains(.named_groups["email_addy"], '40')
and strings.icontains(.named_groups["email_addy"], '2e')
and length(.named_groups["email_addy"]) % 2 == 0
)
// sometimes the template messes up
or strings.icontains(.named_groups["email_addy"],
'sf_base64_enc'
)
// messed up in a different way
or regex.icontains(.named_groups["email_addy"],
'Fa(?:m|rn)ily'
)
)
)
)
Detection logic
Scope: inbound message.
Detects messages containing links with URL fragments that include 'Family' parameters containing base64 or hex encoded email addresses, which may indicate personalized malicious content targeting specific recipients.
- inbound message
any of
body.linkswhere all hold:- .href_url.fragment matches 'Fa(?:m|rn)ily='
any of:
any of
strings.scan_base64(.href_url.fragment)where any holds:- strings.parse_email(.).domain.valid
any of
strings.scan_base64(.)where:- strings.parse_email(.).domain.valid
any of
regex.iextract(.href_url.fragment)where any holds:- strings.parse_email(.named_groups['email_addy']).domain.valid
all of:
- .named_groups['email_addy'] contains '40'
- .named_groups['email_addy'] contains '2e'
- length(.named_groups['email_addy']) % 2 is 0
- .named_groups['email_addy'] contains 'sf_base64_enc'
- .named_groups['email_addy'] matches 'Fa(?:m|rn)ily'
Inspects: body.links, body.links[].href_url.fragment, type.inbound. Sensors: regex.icontains, regex.iextract, strings.icontains, strings.parse_email, strings.scan_base64.
Indicators matched (6)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | Fa(?:m|rn)ily= |
regex.iextract | regex | Fa(?:m|rn)ily=$?(?P<email_addy>[^&]+) |
strings.icontains | substring | 40 |
strings.icontains | substring | 2e |
strings.icontains | substring | sf_base64_enc |
regex.icontains | regex | Fa(?:m|rn)ily |