Detection rules › Sublime MQL
Link: Microsoft device code authentication with suspicious indicators
Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering, Evasion |
Event coverage
| Message attribute |
|---|
| body |
| recipients |
| type |
Rule body MQL
type.inbound
and length(recipients.to) == 1
and 0 < length(body.links) < 15
and any(body.links,
// strings commonly observed in the microsoft device code phishing lure
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"verification co(?:mplete|de)",
'\bcopy code\b',
"Secured by Microsoft",
"(?:redirecting to|opening) your document",
"preparing verification",
"(?:verify your identity|complete verification) with Microsoft"
)
// unique device code antibot token cookie, api path, ms device login path url
and (
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'X-Antibot-Token',
'\/api\/device\/sta(?:rt|tus)\/',
'microsoft\.com\/devicelogin'
)
// or api path on workers dev associated with this activity
or any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
strings.icontains(.path, '/api/device/start')
and strings.icontains(.domain.root_domain, 'workers.dev')
)
)
)
Detection logic
Scope: inbound message.
Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks.
- inbound message
- length(recipients.to) is 1
all of:
- length(body.links) > 0
- length(body.links) < 15
any of
body.linkswhere all hold:ml.link_analysis(., mode='aggressive').final_dom.display_text matches any of 6 patterns
verification co(?:mplete|de)\bcopy code\bSecured by Microsoft(?:redirecting to|opening) your documentpreparing verification(?:verify your identity|complete verification) with Microsoft
any of:
ml.link_analysis(., mode='aggressive').final_dom.raw matches any of 3 patterns
X-Antibot-Token\/api\/device\/sta(?:rt|tus)\/microsoft\.com\/devicelogin
any of
ml.link_analysis(., mode='aggressive').unique_urls_accessedwhere all hold:- .path contains '/api/device/start'
- .domain.root_domain contains 'workers.dev'
Inspects: body.links, recipients.to, type.inbound. Sensors: ml.link_analysis, regex.icontains, strings.icontains.
Indicators matched (11)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | verification co(?:mplete|de) |
regex.icontains | regex | \bcopy code\b |
regex.icontains | regex | Secured by Microsoft |
regex.icontains | regex | (?:redirecting to|opening) your document |
regex.icontains | regex | preparing verification |
regex.icontains | regex | (?:verify your identity|complete verification) with Microsoft |
regex.icontains | regex | X-Antibot-Token |
regex.icontains | regex | \/api\/device\/sta(?:rt|tus)\/ |
regex.icontains | regex | microsoft\.com\/devicelogin |
strings.icontains | substring | /api/device/start |
strings.icontains | substring | workers.dev |