detection.wiki

Detection rules › Sublime MQL

Link: Tax document lure Portuguese/Spanish with suspicious domains

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages in Portuguese/Spanish containing tax document phrases that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Credential Phishing, Malware/Ransomware
Tactics and techniquesFree file host, Free subdomain host, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers.auth_summary
recipients
recipients.to (collection)
sender.email
subject
type

Rule body MQL

type.inbound
and 0 < length(body.links) < 15
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and (
  // portuguese tax document phrases
  regex.icontains(body.current_thread.text,
                  '(?:documento fiscal|documento tributário|documento de imposto|documento de impostos|formulário fiscal|declaração de imposto|declaração de impostos|declaração fiscal|documentação fiscal|comprovante fiscal|certidão fiscal|certificado fiscal|registro fiscal|comprovativo fiscal)'
  )
  // spanish tax document phrases
  or regex.icontains(body.current_thread.text,
                     '(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)'
  )
)

// suspicious domains
and any(body.links,
        .parser == 'hyperlink'
        and (
          .href_url.domain.domain in $url_shorteners
          or .href_url.domain.root_domain in $url_shorteners
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.domain in $free_subdomain_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $self_service_creation_platform_domains
          or .href_url.domain.root_domain in $self_service_creation_platform_domains
          or network.whois(.href_url.domain).days_old < 30
        )
        and not .href_url.domain.root_domain in ('sharepoint.com', 'box.com')
)
// subject fields
and regex.icontains(subject.base, '(?:nf|\b[0-9]{7,10}\b|nota fiscal)')

// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Detection logic

Scope: inbound message.

Detects messages in Portuguese/Spanish containing tax document phrases that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains.

  1. inbound message
  2. all of:
    • length(body.links) > 0
    • length(body.links) < 15
  3. length(recipients.to) is 1
  4. recipients.to[0].email.domain.valid
  5. any of:
    • body.current_thread.text matches '(?:documento fiscal|documento tributário|documento de imposto|documento de impostos|formulário fiscal|declaração de imposto|declaração de impostos|declaração fiscal|documentação fiscal|comprovante fiscal|certidão fiscal|certificado fiscal|registro fiscal|comprovativo fiscal)'
    • body.current_thread.text matches '(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)'
  6. any of body.links where all hold:
    • .parser is 'hyperlink'
    • any of:
      • .href_url.domain.domain in $url_shorteners
      • .href_url.domain.root_domain in $url_shorteners
      • .href_url.domain.domain in $free_file_hosts
      • .href_url.domain.root_domain in $free_file_hosts
      • .href_url.domain.domain in $free_subdomain_hosts
      • .href_url.domain.root_domain in $free_subdomain_hosts
      • .href_url.domain.domain in $self_service_creation_platform_domains
      • .href_url.domain.root_domain in $self_service_creation_platform_domains
      • network.whois(.href_url.domain).days_old < 30
    • not:
      • .href_url.domain.root_domain in ('sharepoint.com', 'box.com')
  7. subject.base matches '(?:nf|\\b[0-9]{7,10}\\b|nota fiscal)'
  8. not:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • coalesce(headers.auth_summary.dmarc.pass)

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].parser, headers.auth_summary.dmarc.pass, recipients.to, recipients.to[0].email.domain.valid, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: network.whois, regex.icontains. Reference lists: $free_file_hosts, $free_subdomain_hosts, $high_trust_sender_root_domains, $self_service_creation_platform_domains, $url_shorteners.

Indicators matched (6)

FieldMatchValue
regex.icontainsregex(?:documento fiscal|documento tributário|documento de imposto|documento de impostos|formulário fiscal|declaração de imposto|declaração de impostos|declaração fiscal|documentação fiscal|comprovante fiscal|certidão fiscal|certificado fiscal|registro fiscal|comprovativo fiscal)
regex.icontainsregex(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)
body.links[].parserequalshyperlink
body.links[].href_url.domain.root_domainmembersharepoint.com
body.links[].href_url.domain.root_domainmemberbox.com
regex.icontainsregex(?:nf|\b[0-9]{7,10}\b|nota fiscal)