detection.wiki

Detection rules › Sublime MQL

Link: Free file hosting with undisclosed recipients

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Malware/Ransomware
Tactics and techniquesFree file host, Free subdomain host, Evasion

Event coverage

Message attribute
body
body.current_thread
body.previous_threads (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
headers.return_path
mailbox.email
recipients
recipients.to (collection)
sender.email
type

Rule body MQL

type.inbound
// no previous threads
and (
  length(body.previous_threads) == 0
  // If there is a previous thread, it is unrelated to current thread
  or any(body.previous_threads, .sender.email.email != mailbox.email.email)
)

// few links that aren't "social" links
and 0 < length(filter(body.current_thread.links,
                      .href_url.domain.root_domain not in (
                        'x.com',
                        'facebook.com',
                        'twitter.com',
                        'instagram.com',
                        'youtube.com',
                        'linkedin.com'
                      )
               )
) < 10

// undisclosed recipients or all recipients cc'd
and (
  any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
  or (length(recipients.cc) > 0 and length(recipients.to) == 0)
  or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
  or (
    length(recipients.to) == 1
    and length(recipients.cc) == 0
    and length(recipients.bcc) == 0
    and all(recipients.to, .email.email == sender.email.email)
    and all(recipients.to, .email.email != mailbox.email.email)
  )
)

// links to free file hosts or free subdomain hosts
and any(body.current_thread.links,
        (
          .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
        )
        and .visible
        and not (
          .href_url.domain.root_domain == "googleusercontent.com"
          and strings.istarts_with(.href_url.path, "/mail-sig")
        )
        and not .href_url.domain.domain in $tenant_domains
)

// negate listmailers & benign threads
and not (
  any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "benign" and .confidence == "high"
  )
)
and not (
  (
    sender.email.domain.root_domain in ("twilio.com", "zendesk.com")
    or headers.return_path.domain.root_domain in ("twilio.com", "zendesk.com")
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

// unsolicited and passing auth, or failing/missing dmarc
and (
  (
    coalesce(headers.auth_summary.dmarc.pass, false)
    and not profile.by_sender().solicited
  )
  or profile.by_sender_email().days_since.last_inbound > 365
  or (not coalesce(headers.auth_summary.dmarc.pass, false))
)

Detection logic

Scope: inbound message.

Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

  1. inbound message
  2. any of:
    • length(body.previous_threads) is 0
    • any of body.previous_threads where:
      • .sender.email.email is not mailbox.email.email
  3. all of:
    • length(filter(body.current_thread.links, .href_url.domain.root_domain not in ('x.com', 'facebook.com', 'twitter.com', 'instagram.com', 'youtube.com', 'linkedin.com'))) > 0
    • length(filter(body.current_thread.links, .href_url.domain.root_domain not in ('x.com', 'facebook.com', 'twitter.com', 'instagram.com', 'youtube.com', 'linkedin.com'))) < 10
  4. any of:
    • any of recipients.to where:
      • .display_name matches 'undisclosed?recipients'
    • all of:
      • length(recipients.cc) > 0
      • length(recipients.to) is 0
    • all of:
      • length(recipients.bcc) > 0
      • length(recipients.to) is 0
    • all of:
      • length(recipients.to) is 1
      • length(recipients.cc) is 0
      • length(recipients.bcc) is 0
      • all of recipients.to where:
        • .email.email is sender.email.email
      • all of recipients.to where:
        • .email.email is not mailbox.email.email
  5. any of body.current_thread.links where all hold:
    • any of:
      • .href_url.domain.root_domain in $free_file_hosts
      • .href_url.domain.root_domain in $free_subdomain_hosts
    • .visible
    • not:
      • all of:
        • .href_url.domain.root_domain is 'googleusercontent.com'
        • .href_url.path starts with '/mail-sig'
    • not:
      • .href_url.domain.domain in $tenant_domains
  6. none of:
    • any of headers.hops where:
      • any of .fields where:
        • .name is 'List-Unsubscribe'
    • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
      • .name is 'benign'
      • .confidence is 'high'
  7. not:
    • all of:
      • any of:
        • sender.email.domain.root_domain in ('twilio.com', 'zendesk.com')
        • headers.return_path.domain.root_domain in ('twilio.com', 'zendesk.com')
      • coalesce(headers.auth_summary.dmarc.pass)
  8. any of:
    • all of:
      • coalesce(headers.auth_summary.dmarc.pass)
      • not:
        • profile.by_sender().solicited
    • profile.by_sender_email().days_since.last_inbound > 365
    • not:
      • coalesce(headers.auth_summary.dmarc.pass)

Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.domain, body.current_thread.links[].href_url.domain.root_domain, body.current_thread.links[].href_url.path, body.current_thread.links[].visible, body.current_thread.text, body.previous_threads, body.previous_threads[].sender.email.email, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.return_path.domain.root_domain, mailbox.email.email, recipients.bcc, recipients.cc, recipients.to, recipients.to[].display_name, recipients.to[].email.email, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, profile.by_sender_email, strings.ilike, strings.istarts_with. Reference lists: $free_file_hosts, $free_subdomain_hosts, $tenant_domains.

Indicators matched (16)

FieldMatchValue
body.current_thread.links[].href_url.domain.root_domainmemberx.com
body.current_thread.links[].href_url.domain.root_domainmemberfacebook.com
body.current_thread.links[].href_url.domain.root_domainmembertwitter.com
body.current_thread.links[].href_url.domain.root_domainmemberinstagram.com
body.current_thread.links[].href_url.domain.root_domainmemberyoutube.com
body.current_thread.links[].href_url.domain.root_domainmemberlinkedin.com
strings.ilikesubstringundisclosed?recipients
body.current_thread.links[].href_url.domain.root_domainequalsgoogleusercontent.com
strings.istarts_withprefix/mail-sig
headers.hops[].fields[].nameequalsList-Unsubscribe
ml.nlu_classifier(body.current_thread.text).intents[].nameequalsbenign
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
4 more
sender.email.domain.root_domainmembertwilio.com
sender.email.domain.root_domainmemberzendesk.com
headers.return_path.domain.root_domainmembertwilio.com
headers.return_path.domain.root_domainmemberzendesk.com