Detection rules › Sublime MQL
Link: Self-sender with sender org in subject and credential theft indicator
Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Evasion |
Event coverage
Rule body MQL
type.inbound
// self sender behavior
and length(recipients.to) == 1
and length(recipients.cc) == 0
and sender.email.email == recipients.to[0].email.email
// not self sender from the org_domain, this rule is not going to detect spoofed domains to limit FPs caused by various email auth issues.
and not sender.email.domain.domain in $org_domains
and profile.by_sender_email().prevalence == "new"
// org name in the subject, removing the subject from NLU to prevent the org being extracted from the subject
and any(filter(ml.nlu_classifier(body.current_thread.text, subject="").entities,
.name == "org"
and .text != sender.email.domain.sld
and .text != sender.email.domain.domain
),
// not an icontains, make it an exact match
strings.contains(subject.base, .text)
)
// must contain a link
and 0 < length(body.current_thread.links) < 20
// cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// all attachments are inline images or there are 0 attachments
and (
length(attachments) == 0
// there are only image attachments and all image attachments are served inline
or (
length(attachments) > 0
and (
all(attachments,
.file_type in $file_types_images
// all images are embedded in the html
and strings.icontains(body.html.raw,
strings.concat('src="cid:', .content_id)
)
)
)
)
)
Detection logic
Scope: inbound message.
Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves.
- inbound message
- length(recipients.to) is 1
- length(recipients.cc) is 0
- sender.email.email is recipients.to[0].email.email
not:
- sender.email.domain.domain in $org_domains
- profile.by_sender_email().prevalence is 'new'
any of
filter(...)where:- strings.contains(subject.base)
all of:
- length(body.current_thread.links) > 0
- length(body.current_thread.links) < 20
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is 'high'
any of:
- length(attachments) is 0
all of:
- length(attachments) > 0
all of
attachmentswhere all hold:- .file_type in $file_types_images
- strings.icontains(body.html.raw)
Inspects: attachments[].content_id, attachments[].file_type, body.current_thread.links, body.current_thread.text, body.html.raw, recipients.cc, recipients.to, recipients.to[0].email.email, sender.email.domain.domain, sender.email.domain.sld, sender.email.email, subject.base, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender_email, strings.concat, strings.contains, strings.icontains. Reference lists: $file_types_images, $org_domains.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text, subject='').entities[].name | equals | org |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |