detection.wiki

Detection rules › Sublime MQL

Link abuse: Self-service creation platform link with suspicious recipient behavior

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages from new freemail senders containing links to self-service creation platforms with all-caps display text, combined with suspicious recipient patterns such as invalid recipients, self-sending, or unusual CC/BCC configurations.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Credential Phishing, Spam
Tactics and techniquesFree email provider, Social engineering

Event coverage

Message attribute
body.current_thread
recipients
recipients.cc (collection)
recipients.to (collection)
sender.email
type

Rule body MQL

type.inbound
// new freemail sender
and profile.by_sender_email().prevalence == "new"
and sender.email.domain.domain in $free_email_providers
// sus rcpt behavior
and (
  // invalid rcpt
  length(filter(recipients.to, .email.domain.valid)) == 0
  // self sender
  or (
    length(recipients.to) == 1
    and sender.email.email == recipients.to[0].email.email
  )
  // BCC is another freemail
  or (
    length(recipients.cc) == 1
    and all(recipients.cc, .email.domain.domain in $free_email_providers)
  )
  // the recipient is another freemail with bcc
  or (
    length(recipients.to) == 1
    and recipients.to[0].email.domain.domain in $free_email_providers
    and length(recipients.bcc) > 0
  )
)
// few body links
and length(body.current_thread.links) < 10
// the self_service_creation_platform contains a link with the display_text in all caps
and any(body.current_thread.links,
        (
          .href_url.domain.root_domain in $self_service_creation_platform_domains
          or .href_url.domain.domain in $self_service_creation_platform_domains
        )
        and regex.match(.display_text, '[A-Z0-9_\-\s]+')
)

Detection logic

Scope: inbound message.

Detects messages from new freemail senders containing links to self-service creation platforms with all-caps display text, combined with suspicious recipient patterns such as invalid recipients, self-sending, or unusual CC/BCC configurations.

  1. inbound message
  2. profile.by_sender_email().prevalence is 'new'
  3. sender.email.domain.domain in $free_email_providers
  4. any of:
    • length(filter(recipients.to, .email.domain.valid)) is 0
    • all of:
      • length(recipients.to) is 1
      • sender.email.email is recipients.to[0].email.email
    • all of:
      • length(recipients.cc) is 1
      • all of recipients.cc where:
        • .email.domain.domain in $free_email_providers
    • all of:
      • length(recipients.to) is 1
      • recipients.to[0].email.domain.domain in $free_email_providers
      • length(recipients.bcc) > 0
  5. length(body.current_thread.links) < 10
  6. any of body.current_thread.links where all hold:
    • any of:
      • .href_url.domain.root_domain in $self_service_creation_platform_domains
      • .href_url.domain.domain in $self_service_creation_platform_domains
    • .display_text matches '[A-Z0-9_\\-\\s]+'

Inspects: body.current_thread.links, body.current_thread.links[].display_text, body.current_thread.links[].href_url.domain.domain, body.current_thread.links[].href_url.domain.root_domain, recipients.bcc, recipients.cc, recipients.cc[].email.domain.domain, recipients.to, recipients.to[0].email.domain.domain, recipients.to[0].email.email, recipients.to[].email.domain.valid, sender.email.domain.domain, sender.email.email, type.inbound. Sensors: profile.by_sender_email, regex.match. Reference lists: $free_email_providers, $self_service_creation_platform_domains.

Indicators matched (1)

FieldMatchValue
regex.matchregex[A-Z0-9_\-\s]+