Detection rules › Sublime MQL
Link: PDF filename impersonation with credential theft language
Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Evasion, PDF |
Event coverage
Rule body MQL
type.inbound
// does not actually contain a PDF attachment
and not any(attachments, .file_extension == "pdf")
and (
// extract the first body link and compare to the sender's sld, look for less than 4 levenshtein distances or the exact match on the sld in URL ending in .pdf
any(regex.iextract(body.current_thread.links[0].display_text,
'(?P<starter>.*)\b\d+\.pdf$'
),
strings.ilevenshtein(.named_groups["starter"], sender.email.domain.sld) <= 4
)
or (
strings.istarts_with(body.current_thread.links[0].display_text,
sender.email.domain.sld
)
and regex.icontains(body.current_thread.links[0].display_text,
'\b\d+\.pdf$'
)
)
)
// cred theft intent or other request language
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
regex.icontains(.text, 'please (?:see|find|click|(?:re)?view)')
)
)
// self sender pattern or sum of recipients is zero
and (
length(recipients.to) <= 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
or sum([
length(recipients.to),
length(recipients.cc),
length(recipients.bcc)
]
) == 0
)
)
Detection logic
Scope: inbound message.
Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure.
- inbound message
not:
any of
attachmentswhere:- .file_extension is 'pdf'
any of:
any of
regex.iextract(body.current_thread.links[0].display_text)where:- strings.ilevenshtein(.named_groups['starter']) ≤ 4
all of:
- strings.istarts_with(body.current_thread.links[0].display_text)
- body.current_thread.links[0].display_text matches '\\b\\d+\\.pdf$'
any of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is not 'low'
any of
filter(...)where:- .text matches 'please (?:see|find|click|(?:re)?view)'
all of:
- length(recipients.to) ≤ 1
any of:
- sender.email.email is recipients.to[0].email.email
- recipients.to[0].email.domain.valid is False
- sum([length(recipients.to), length(recipients.cc), length(recipients.bcc)]) is 0
Inspects: attachments[].file_extension, body.current_thread.links[0].display_text, body.current_thread.text, recipients.bcc, recipients.cc, recipients.to, recipients.to[0].email.domain.valid, recipients.to[0].email.email, sender.email.domain.sld, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, regex.iextract, strings.ilevenshtein, strings.istarts_with.
Indicators matched (6)
| Field | Match | Value |
|---|---|---|
attachments[].file_extension | equals | pdf |
regex.iextract | regex | (?P<starter>.*)\b\d+\.pdf$ |
regex.icontains | regex | \b\d+\.pdf$ |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | request |
regex.icontains | regex | please (?:see|find|click|(?:re)?view) |