Detection rules › Sublime MQL
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
Attackers invite users to view a Google Calendar whose name contains a suspicious link, generally linking to spam content such as crypto giveaways, using open redirects to mask the true destination.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Free email provider, Free file host, ICS Phishing, Open redirect, Social engineering |
Event coverage
Rule body MQL
type.inbound
and strings.iends_with(subject.subject, "has shared a calendar with you")
and strings.ilike(headers.message_id, "<calendar*@google.com>")
and sender.email.domain.domain in $free_email_providers
and any(body.links,
any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
or (
any(ml.link_analysis(.).final_dom.links,
any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
)
and profile.by_sender().prevalence in ("new", "outlier")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Attackers invite users to view a Google Calendar whose name contains a suspicious link, generally linking to spam content such as crypto giveaways, using open redirects to mask the true destination.
- inbound message
- subject.subject ends with 'has shared a calendar with you'
- headers.message_id matches '<calendar*@google.com>'
- sender.email.domain.domain in $free_email_providers
any of
body.linkswhere any holds:any of
.href_url.rewrite.encoderswhere:- . contains 'open_redirect'
any of
ml.link_analysis(.).final_dom.linkswhere:any of
.href_url.rewrite.encoderswhere:- . contains 'open_redirect'
- profile.by_sender().prevalence in ('new', 'outlier')
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
any of
distinct(headers.hops)where:- .authentication_results.dmarc matches '*fail'
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: body.links, body.links[].href_url.rewrite.encoders, headers.hops, headers.hops[].authentication_results.dmarc, headers.message_id, sender.email.domain.domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.link_analysis, profile.by_sender, strings.icontains, strings.iends_with, strings.ilike. Reference lists: $free_email_providers, $high_trust_sender_root_domains.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
strings.iends_with | suffix | has shared a calendar with you |
strings.ilike | substring | <calendar*@google.com> |
strings.icontains | substring | open_redirect |
strings.ilike | substring | *fail |