Detection rules › Sublime MQL
Link: Microsoft impersonation using hosted png with suspicious link
Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.html |
| body.links (collection) |
| sender |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
// display name is in all caps
and regex.match(sender.display_name, '[A-Z ]+')
// the sender is not microsoft
and sender.email.domain.root_domain not in~ (
'microsoft.com',
'microsoftsupport.com',
'office.com'
)
// logo hosted on microsoft.com
and any(body.links,
regex.icontains(.display_url.url,
'.{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png'
)
)
// and at least one link display text is in all caps
and any(body.links,
regex.icontains(.display_text, '[VIEW|CLICK|DOWNLOAD|CHECK]')
)
// request being made
and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
// sender domain matches no body domains
and not any(body.links,
.href_url.domain.root_domain == sender.email.domain.root_domain
and .href_url.domain.root_domain not in $tranco_1m
)
// org domain in the subject of the message
and any($org_domains, strings.icontains(subject.subject, .))
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
- inbound message
- sender.display_name matches '[A-Z ]+'
- sender.email.domain.root_domain not in ('microsoft.com', 'microsoftsupport.com', 'office.com')
any of
body.linkswhere:- .display_url.url matches '.{0,50}microsoft\\.com\\/.{0,70}logo.{0,25}\\.png'
any of
body.linkswhere:- .display_text matches '[VIEW|CLICK|DOWNLOAD|CHECK]'
any of
ml.nlu_classifier(body.html.inner_text).entitieswhere:- .name is 'request'
not:
any of
body.linkswhere all hold:- .href_url.domain.root_domain is sender.email.domain.root_domain
- .href_url.domain.root_domain not in $tranco_1m
any of
$org_domainswhere:- strings.icontains(subject.subject)
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: body.html.inner_text, body.links, body.links[].display_text, body.links[].display_url.url, body.links[].href_url.domain.root_domain, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, regex.icontains, regex.match, strings.icontains. Reference lists: $org_domains, $tranco_1m.
Indicators matched (7)
| Field | Match | Value |
|---|---|---|
regex.match | regex | [A-Z ]+ |
sender.email.domain.root_domain | member | microsoft.com |
sender.email.domain.root_domain | member | microsoftsupport.com |
sender.email.domain.root_domain | member | office.com |
regex.icontains | regex | .{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png |
regex.icontains | regex | [VIEW|CLICK|DOWNLOAD|CHECK] |
ml.nlu_classifier(body.html.inner_text).entities[].name | equals | request |