Detection rules › Sublime MQL
Link to Google Apps Script macro (unsolicited)
Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques | Open redirect, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.domain == "script.google.com"
and strings.ilike(.href_url.path, "/macros*")
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.domain is 'script.google.com'
- .href_url.path matches '/macros*'
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: body.links, body.links[].href_url.domain.domain, body.links[].href_url.path, type.inbound. Sensors: profile.by_sender, strings.ilike.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.domain | equals | script.google.com |
strings.ilike | substring | /macros* |