detection.wiki

Detection rules › Sublime MQL

Link: HR impersonation with suspicious domain indicators and credential theft

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages impersonating HR departments containing many links with malformed domains, suspicious TLD patterns, and credential theft language detected through URL analysis.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Employee, Social engineering, Lookalike domain

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
sender
subject
type

Rule body MQL

type.inbound
// high number of links
and length(body.links) > 20
// hr-related subject or sender
and (
  regex.icontains(sender.display_name, "\\bhr\\b")
  or strings.icontains(sender.display_name, "human resources")
  or strings.icontains(sender.display_name, "employee relation")
  or regex.icontains(subject.subject, "sal[ai1l|]r[i1l|]es")
  or regex.icontains(subject.subject, "hr__.{0,30}")
  or regex.icontains(subject.subject, "work.{0,5}hours")
  or regex.icontains(subject.subject,
                     "instant:.{0,20}(salaries|salary|changed|update)"
  )
  or strings.icontains(body.current_thread.text, "vacation plan")
)
// suspect domain irregularities (like www.,company.com)
and any(body.links,
        (
          // malformed domains with comma variations
          regex.icontains(.display_text, "www.?,")
          // multiple consecutive dots
          or regex.icontains(.display_text, "\\.{2,}")
          // comma in domain position  
          or regex.icontains(.display_text, "\\.,")
          // suspicious TLD patterns that might be typosquatting
          or regex.icontains(.display_text, "\\.(tu|cg|mv|tk|3v|ct|jh)/")
          // random characters in TLD position
          or regex.icontains(.display_text,
                             "\\.[a-z0-9]{1,3}/[a-z0-9]+/[a-z0-9]+/"
          )
          // URLs that contain obvious credential theft terms in the path
          or regex.icontains(.display_text,
                             "/(sal[ai1l|]r[i1l|]es|login|auth|verify|portal|payment)/"
          )
        )
        and .visible == true
        and any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
                .name == "cred_theft" and .confidence == "high"
        )
)
// exclusions for legitimate sources 
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in (
              "Security and Authentication",
              "Secure Message",
              "Newsletters and Digests",
              "Entertainment and Sports"
            )
            and .confidence in ("medium", "high")
)
// exclude messages with a bunch of previous corrospondance
and not length(body.previous_threads) > 5

Detection logic

Scope: inbound message.

Detects messages impersonating HR departments containing many links with malformed domains, suspicious TLD patterns, and credential theft language detected through URL analysis.

  1. inbound message
  2. length(body.links) > 20
  3. any of:
    • sender.display_name matches '\\\\bhr\\\\b'
    • sender.display_name contains 'human resources'
    • sender.display_name contains 'employee relation'
    • subject.subject matches 'sal[ai1l|]r[i1l|]es'
    • subject.subject matches 'hr__.{0,30}'
    • subject.subject matches 'work.{0,5}hours'
    • subject.subject matches 'instant:.{0,20}(salaries|salary|changed|update)'
    • body.current_thread.text contains 'vacation plan'
  4. any of body.links where all hold:
    • .display_text matches any of 6 patterns
      • www.?,
      • \\.{2,}
      • \\.,
      • \\.(tu|cg|mv|tk|3v|ct|jh)/
      • \\.[a-z0-9]{1,3}/[a-z0-9]+/[a-z0-9]+/
      • /(sal[ai1l|]r[i1l|]es|login|auth|verify|portal|payment)/
    • .visible is True
    • any of ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents where all hold:
      • .name is 'cred_theft'
      • .confidence is 'high'
  5. not:
    • any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
      • .name in ('Security and Authentication', 'Secure Message', 'Newsletters and Digests', 'Entertainment and Sports')
      • .confidence in ('medium', 'high')
  6. not:
    • length(body.previous_threads) > 5

Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].visible, body.previous_threads, sender.display_name, subject.subject, type.inbound. Sensors: beta.ocr, ml.link_analysis, ml.nlu_classifier, regex.icontains, strings.icontains.

Indicators matched (22)

FieldMatchValue
regex.icontainsregex\\bhr\\b
strings.icontainssubstringhuman resources
strings.icontainssubstringemployee relation
regex.icontainsregexsal[ai1l|]r[i1l|]es
regex.icontainsregexhr__.{0,30}
regex.icontainsregexwork.{0,5}hours
regex.icontainsregexinstant:.{0,20}(salaries|salary|changed|update)
strings.icontainssubstringvacation plan
regex.icontainsregexwww.?,
regex.icontainsregex\\.{2,}
regex.icontainsregex\\.,
regex.icontainsregex\\.(tu|cg|mv|tk|3v|ct|jh)/
10 more
regex.icontainsregex\\.[a-z0-9]{1,3}/[a-z0-9]+/[a-z0-9]+/
regex.icontainsregex/(sal[ai1l|]r[i1l|]es|login|auth|verify|portal|payment)/
ml.nlu_classifier(beta.ocr(ml.link_analysis(body.links[]).screenshot).text).intents[].nameequalscred_theft
ml.nlu_classifier(beta.ocr(ml.link_analysis(body.links[]).screenshot).text).intents[].confidenceequalshigh
ml.nlu_classifier(body.current_thread.text).topics[].namememberSecurity and Authentication
ml.nlu_classifier(body.current_thread.text).topics[].namememberSecure Message
ml.nlu_classifier(body.current_thread.text).topics[].namememberNewsletters and Digests
ml.nlu_classifier(body.current_thread.text).topics[].namememberEntertainment and Sports
ml.nlu_classifier(body.current_thread.text).topics[].confidencemembermedium
ml.nlu_classifier(body.current_thread.text).topics[].confidencememberhigh