Detection rules › Sublime MQL
Link: Romance/Sexual Language With Suspicious Link
Detects messages containing romantic or adult-themed language, combined with links to newly registered domains or suspicious reply-to addresses.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
and length(body.previous_threads) == 0
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Romance", "Sexually Explicit Messages")
and .confidence == "high"
)
and 1 of (
any(body.links, network.whois(.href_url.domain).days_old < 30),
any(body.links, .href_url.domain.root_domain in $url_shorteners),
any(body.links, .href_url.domain.tld in ('ru', 'app', 'digital', 'click')),
any(headers.reply_to, network.whois(.email.domain).days_old < 30)
)
and 0 < length(distinct(body.links,
.href_url.domain.root_domain not in ("aka.ms")
)
) < 3
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
Detection logic
Scope: inbound message.
Detects messages containing romantic or adult-themed language, combined with links to newly registered domains or suspicious reply-to addresses.
- inbound message
- length(body.previous_threads) is 0
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name in ('Romance', 'Sexually Explicit Messages')
- .confidence is 'high'
at least 1 of:
any of
body.linkswhere:- network.whois(.href_url.domain).days_old < 30
any of
body.linkswhere:- .href_url.domain.root_domain in $url_shorteners
any of
body.linkswhere:- .href_url.domain.tld in ('ru', 'app', 'digital', 'click')
any of
headers.reply_towhere:- network.whois(.email.domain).days_old < 30
all of:
- length(distinct(body.links, .href_url.domain.root_domain not in ('aka.ms'))) > 0
- length(distinct(body.links, .href_url.domain.root_domain not in ('aka.ms'))) < 3
all of
body.linkswhere:- .href_url.domain.root_domain is not sender.email.domain.root_domain
Inspects: body.current_thread.text, body.links, body.links[].href_url.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.tld, body.previous_threads, headers.reply_to, headers.reply_to[].email.domain, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, network.whois. Reference lists: $url_shorteners.
Indicators matched (8)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Romance |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Sexually Explicit Messages |
ml.nlu_classifier(body.current_thread.text).topics[].confidence | equals | high |
body.links[].href_url.domain.tld | member | ru |
body.links[].href_url.domain.tld | member | app |
body.links[].href_url.domain.tld | member | digital |
body.links[].href_url.domain.tld | member | click |
body.links[].href_url.domain.root_domain | member | aka.ms |