Detection rules › Sublime MQL
Link: Base64 encoded recipient address in URL fragment with subject hash
Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Encryption, Evasion, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| recipients.to (collection) |
| subject |
| type |
Rule body MQL
type.inbound
and any(regex.iextract(subject.subject,
'[^a-z0-9](?P<string>[a-z0-9]{32,64})(?:$|[^a-z0-9])'
),
any(body.links,
strings.contains(.href_url.fragment, ..named_groups["string"])
and any(strings.scan_base64(.href_url.fragment),
strings.contains(., recipients.to[0].email.email)
)
)
)
Detection logic
Scope: inbound message.
Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure.
- inbound message
any of
regex.iextract(subject.subject)where:any of
body.linkswhere all hold:- strings.contains(.href_url.fragment)
any of
strings.scan_base64(.href_url.fragment)where:- strings.contains(.)
Inspects: body.links, body.links[].href_url.fragment, recipients.to[0].email.email, subject.subject, type.inbound. Sensors: regex.iextract, strings.contains, strings.scan_base64.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
regex.iextract | regex | [^a-z0-9](?P<string>[a-z0-9]{32,64})(?:$|[^a-z0-9]) |