detection.wiki

Detection rules › Sublime MQL

Link: Mamba 2FA phishing kit

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
recipients
recipients.to (collection)
sender.email
type

Rule body MQL

type.inbound
and length(body.links) < 10
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == 'cred_theft' and .confidence == 'high'
  )
  or (
    length(recipients.to) == 1
    and any(recipients.to,
            strings.icontains(body.current_thread.text, .email.email)
    )
    and regex.icontains(body.current_thread.text,
                        '(invoice|document|docusign|past due|confirm receipt)'
    )
  )
  or (
    sender.email.domain.domain == 'icloud.com'
    and any(attachments, .file_name == 'invite.ics')
  )
)
and any(body.links,
        any(ml.link_analysis(., mode="aggressive").redirect_history,
            (
              // sv= in base64 as well as commonly observed tag
              regex.contains(.url, '(?:(?:/?|=)c3Y9|N0123N)')
              // &uid=USER base64 offsets
              and (
                strings.contains(.url, 'JnVpZD1VU0VS')
                or strings.contains(.url, 'Z1aWQ9VVNFU')
                or strings.contains(.url, 'mdWlkPVVTRV')
              )              
            )
        )
)

Detection logic

Scope: inbound message.

Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.

  1. inbound message
  2. length(body.links) < 10
  3. any of:
    • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
      • .name is 'cred_theft'
      • .confidence is 'high'
    • all of:
      • length(recipients.to) is 1
      • any of recipients.to where:
        • strings.icontains(body.current_thread.text)
      • body.current_thread.text matches '(invoice|document|docusign|past due|confirm receipt)'
    • all of:
      • sender.email.domain.domain is 'icloud.com'
      • any of attachments where:
        • .file_name is 'invite.ics'
  4. any of body.links where:
    • any of ml.link_analysis(., mode='aggressive').redirect_history where all hold:
      • .url matches '(?:(?:/?|=)c3Y9|N0123N)'
      • any of:
        • .url contains 'JnVpZD1VU0VS'
        • .url contains 'Z1aWQ9VVNFU'
        • .url contains 'mdWlkPVVTRV'

Inspects: attachments[].file_name, body.current_thread.text, body.links, recipients.to, recipients.to[].email.email, sender.email.domain.domain, type.inbound. Sensors: ml.link_analysis, ml.nlu_classifier, regex.contains, regex.icontains, strings.contains, strings.icontains.

Indicators matched (9)

FieldMatchValue
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
regex.icontainsregex(invoice|document|docusign|past due|confirm receipt)
sender.email.domain.domainequalsicloud.com
attachments[].file_nameequalsinvite.ics
regex.containsregex(?:(?:/?|=)c3Y9|N0123N)
strings.containssubstringJnVpZD1VU0VS
strings.containssubstringZ1aWQ9VVNFU
strings.containssubstringmdWlkPVVTRV