Detection rules › Sublime MQL
Suspicious message with unscannable Vercel link
This rule detects messages with unscannable links to Vercel infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion |
Event coverage
Rule body MQL
type.inbound
and (
// few links
0 < length(body.links) < 20
// fewer unique root domain links
and length(distinct(body.links, .href_url.domain.root_domain)) < 10
// sender domain matches no body domains
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
// sender email address in body looks like this
or .href_url.url == sender.email.domain.root_domain
)
)
// negate bouncebacks and undeliverables
and not any(attachments,
.content_type in (
"message/global-delivery-status",
"message/delivery-status"
)
)
// suspicious subject or display name
and (
regex.icontains(subject.subject,
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.been",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"document.received",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"report",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"statement is ready",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"undelivered message",
"unread.*doc",
"unusual.activity",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access"
)
or any($suspicious_subjects, strings.icontains(subject.subject, .))
or regex.icontains(sender.display_name,
"Admin",
"Administrator",
"Alert",
"Assistant",
"Billing",
"Benefits",
"Bonus",
"CEO",
"CFO",
"CIO",
"CTO",
"Chairman",
"Claim",
"Confirm",
"Critical",
"Customer Service",
"Deal",
"Discount",
"Director",
"Exclusive",
"Executive",
"Fax",
"Free",
"Gift",
"/bHR/b",
"Helpdesk",
"Human Resources",
"Immediate",
"Important",
"Info",
"Information",
"Invoice",
'\bIT\b',
"Legal",
"Lottery",
"Management",
"Manager",
"Member Services",
"Notification",
"Offer",
"Operations",
"Order",
"Partner",
"Payment",
"Payroll",
"President",
"Premium",
"Prize",
"Receipt",
"Refund",
"Registrar",
"Required",
"Reward",
"Sales",
"Secretary",
"Security",
"Service",
"Signature",
"SSA",
"Storage",
"Support",
"Sweepstakes",
"System",
"Tax",
"Tech Support",
"Update",
"Upgrade",
"Urgent",
"Validate",
"Verify",
"VIP",
"Webmaster",
"Winner",
)
or any(body.links,
strings.ends_with(.href_url.url, ".exe")
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $free_subdomain_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
)
// link can't be scanned due to Vercel block page
and any(body.links,
strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"Vercel Security Checkpoint"
)
or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'https://vercel.link/security-checkpoint'
)
)
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
This rule detects messages with unscannable links to Vercel infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
- inbound message
all of:
all of:
- length(body.links) > 0
- length(body.links) < 20
- length(distinct(body.links, .href_url.domain.root_domain)) < 10
all of
body.linkswhere any holds:- .href_url.domain.root_domain is not sender.email.domain.root_domain
- .href_url.url is sender.email.domain.root_domain
not:
any of
attachmentswhere:- .content_type in ('message/global-delivery-status', 'message/delivery-status')
any of:
subject.subject matches any of 124 patterns
termination.*notice38417:completed[il1]{2}mit.*ma[il1]{2} ?bo?x[il][il][il]egai[ -][li][li][li]ega[li] attempt[ng]-?[io]n .*block[ng]-?[io]n .*cancel[ng]-?[io]n .*deactiv[ng]-?[io]n .*disablaction.*requiredabandon.*packageabout.your.accountacc(ou)?n?t (is )?on ho[li]dacc(ou)?n?t.*terminatacc(oun)?t.*[il1]{2}mitationaccess.*limitationaccount (will be )?blockaccount.*de-?activataccount.*lockedaccount.*re-verificationaccount.*securityaccount.*suspensionaccount.has.beenaccount.has.expiredaccount.will.be.blockedaccount v[il]o[li]atactivity.*acc(oun)?talmost.fullapp[li]e.[il]dauthenticate.*accountbeen.*suspendclos.*of.*account.*processedconfirm.your.accountcourier.*ablecrediential.*notifdeactivation.*in.*progressdelivery.*attempt.*faileddocument.receiveddocumented.*shared.*with.*youdropbox.*documente-?ma[il1]+ .{010}suspene-?ma[il1]{1} usere-?ma[il1]{2} acce-?ma[il1]{2}.*up.?gradee.?ma[il1]{2}.*servere.?ma[il1]{2}.*suspendemail.updatefaxed youfraud(ulent)?.*chargefrom.helpdeskfu[il1]{2}.*ma[il1]+[ -]?boxhas.been.*suspendedhas.been.limitedhave.lockedhe[li]p ?desk upgradeheipdeski[il]iega[il]ii[il]ega[il]incoming e?mailincoming.*faxlock.*securityma[il1]{1}[ -]?box.*quoma[il1]{2}[ -]?box.*fu[il1]ma[il1]{2}box.*[il1]{2}mitma[il1]{2}box stormail on.?holdmail.*box.*migrationmail.*de-?activatmail.update.requiredmails.*pendingmessages.*pendingmissed.*shipping.*notificationmissed.shipment.notificationmust.update.your.accountnew [sl][io]g?[nig][ -]?in fromnew voice ?-?mailnotifications.*pendingoffice.*3.*6.*5.*suspendoffice365on google docs with youonline docpassword.*compromisedperiodic maintenancepotential(ly)? unauthorizedrefund not approvedreportrevised.*policyscamscanned.?invoicesecured?.updatesecurity breachsecurltysigned.*deliverystatement is readystatus of your .{314}? ?deliverysusp[il1]+c[il1]+ous.*act[il1]+v[il1]+tysuspicious.*sign.*[io]nsuspicious.activittemporar(il)?y deactivatetemporar[il1]{2}y disab[li]edtemporarily.*lockun-?usua[li].activityunable.*deliverunauthorized.*activitunauthorized.deviceundelivered messageunread.*docunusual.activityupgrade.*accountupgrade.noticeurgent messageurgent.verificationv[il1]o[li1]at[il1]on securityva[il1]{1}date.*ma[il1]{2}[ -]?boxverification ?-?requireverification( )?-?needverify.your?.accountweb ?-?ma[il1]{2}web[ -]?ma[il1]{2}will.be.suspendedyour (customer )?account .asyour.office.365your.online.access
any of
$suspicious_subjectswhere:- strings.icontains(subject.subject)
sender.display_name matches any of 73 patterns
AdminAdministratorAlertAssistantBillingBenefitsBonusCEOCFOCIOCTOChairmanClaimConfirmCriticalCustomer ServiceDealDiscountDirectorExclusiveExecutiveFaxFreeGift/bHR/bHelpdeskHuman ResourcesImmediateImportantInfoInformationInvoice\bIT\bLegalLotteryManagementManagerMember ServicesNotificationOfferOperationsOrderPartnerPaymentPayrollPresidentPremiumPrizeReceiptRefundRegistrarRequiredRewardSalesSecretarySecurityServiceSignatureSSAStorageSupportSweepstakesSystemTaxTech SupportUpdateUpgradeUrgentValidateVerifyVIPWebmasterWinner
any of
body.linkswhere any holds:- .href_url.url ends with '.exe'
- .href_url.domain.root_domain in $social_landing_hosts
- .href_url.domain.domain in $free_subdomain_hosts
- .href_url.domain.root_domain in $free_subdomain_hosts
any of
body.linkswhere any holds:- ml.link_analysis(., mode='aggressive').final_dom.display_text contains 'Vercel Security Checkpoint'
- ml.link_analysis(., mode='aggressive').final_dom.raw contains 'https://vercel.link/security-checkpoint'
any of:
not:
- profile.by_sender_email().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_type, body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.url, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.link_analysis, profile.by_sender, profile.by_sender_email, regex.icontains, strings.ends_with, strings.icontains. Reference lists: $free_subdomain_hosts, $high_trust_sender_root_domains, $social_landing_hosts, $suspicious_subjects.
Indicators matched (202)
| Field | Match | Value |
|---|---|---|
attachments[].content_type | member | message/global-delivery-status |
attachments[].content_type | member | message/delivery-status |
regex.icontains | regex | termination.*notice |
regex.icontains | regex | 38417 |
regex.icontains | regex | :completed |
regex.icontains | regex | [il1]{2}mit.*ma[il1]{2} ?bo?x |
regex.icontains | regex | [il][il][il]egai[ -] |
regex.icontains | regex | [li][li][li]ega[li] attempt |
regex.icontains | regex | [ng]-?[io]n .*block |
regex.icontains | regex | [ng]-?[io]n .*cancel |
regex.icontains | regex | [ng]-?[io]n .*deactiv |
regex.icontains | regex | [ng]-?[io]n .*disabl |
190 more
regex.icontains | regex | action.*required |
regex.icontains | regex | abandon.*package |
regex.icontains | regex | about.your.account |
regex.icontains | regex | acc(ou)?n?t (is )?on ho[li]d |
regex.icontains | regex | acc(ou)?n?t.*terminat |
regex.icontains | regex | acc(oun)?t.*[il1]{2}mitation |
regex.icontains | regex | access.*limitation |
regex.icontains | regex | account (will be )?block |
regex.icontains | regex | account.*de-?activat |
regex.icontains | regex | account.*locked |
regex.icontains | regex | account.*re-verification |
regex.icontains | regex | account.*security |
regex.icontains | regex | account.*suspension |
regex.icontains | regex | account.has.been |
regex.icontains | regex | account.has.expired |
regex.icontains | regex | account.will.be.blocked |
regex.icontains | regex | account v[il]o[li]at |
regex.icontains | regex | activity.*acc(oun)?t |
regex.icontains | regex | almost.full |
regex.icontains | regex | app[li]e.[il]d |
regex.icontains | regex | authenticate.*account |
regex.icontains | regex | been.*suspend |
regex.icontains | regex | clos.*of.*account.*processed |
regex.icontains | regex | confirm.your.account |
regex.icontains | regex | courier.*able |
regex.icontains | regex | crediential.*notif |
regex.icontains | regex | deactivation.*in.*progress |
regex.icontains | regex | delivery.*attempt.*failed |
regex.icontains | regex | document.received |
regex.icontains | regex | documented.*shared.*with.*you |
regex.icontains | regex | dropbox.*document |
regex.icontains | regex | e-?ma[il1]+ .{010}suspen |
regex.icontains | regex | e-?ma[il1]{1} user |
regex.icontains | regex | e-?ma[il1]{2} acc |
regex.icontains | regex | e-?ma[il1]{2}.*up.?grade |
regex.icontains | regex | e.?ma[il1]{2}.*server |
regex.icontains | regex | e.?ma[il1]{2}.*suspend |
regex.icontains | regex | email.update |
regex.icontains | regex | faxed you |
regex.icontains | regex | fraud(ulent)?.*charge |
regex.icontains | regex | from.helpdesk |
regex.icontains | regex | fu[il1]{2}.*ma[il1]+[ -]?box |
regex.icontains | regex | has.been.*suspended |
regex.icontains | regex | has.been.limited |
regex.icontains | regex | have.locked |
regex.icontains | regex | he[li]p ?desk upgrade |
regex.icontains | regex | heipdesk |
regex.icontains | regex | i[il]iega[il] |
regex.icontains | regex | ii[il]ega[il] |
regex.icontains | regex | incoming e?mail |
regex.icontains | regex | incoming.*fax |
regex.icontains | regex | lock.*security |
regex.icontains | regex | ma[il1]{1}[ -]?box.*quo |
regex.icontains | regex | ma[il1]{2}[ -]?box.*fu[il1] |
regex.icontains | regex | ma[il1]{2}box.*[il1]{2}mit |
regex.icontains | regex | ma[il1]{2}box stor |
regex.icontains | regex | mail on.?hold |
regex.icontains | regex | mail.*box.*migration |
regex.icontains | regex | mail.*de-?activat |
regex.icontains | regex | mail.update.required |
regex.icontains | regex | mails.*pending |
regex.icontains | regex | messages.*pending |
regex.icontains | regex | missed.*shipping.*notification |
regex.icontains | regex | missed.shipment.notification |
regex.icontains | regex | must.update.your.account |
regex.icontains | regex | new [sl][io]g?[nig][ -]?in from |
regex.icontains | regex | new voice ?-?mail |
regex.icontains | regex | notifications.*pending |
regex.icontains | regex | office.*3.*6.*5.*suspend |
regex.icontains | regex | office365 |
regex.icontains | regex | on google docs with you |
regex.icontains | regex | online doc |
regex.icontains | regex | password.*compromised |
regex.icontains | regex | periodic maintenance |
regex.icontains | regex | potential(ly)? unauthorized |
regex.icontains | regex | refund not approved |
regex.icontains | regex | report |
regex.icontains | regex | revised.*policy |
regex.icontains | regex | scam |
regex.icontains | regex | scanned.?invoice |
regex.icontains | regex | secured?.update |
regex.icontains | regex | security breach |
regex.icontains | regex | securlty |
regex.icontains | regex | signed.*delivery |
regex.icontains | regex | statement is ready |
regex.icontains | regex | status of your .{314}? ?delivery |
regex.icontains | regex | susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty |
regex.icontains | regex | suspicious.*sign.*[io]n |
regex.icontains | regex | suspicious.activit |
regex.icontains | regex | temporar(il)?y deactivate |
regex.icontains | regex | temporar[il1]{2}y disab[li]ed |
regex.icontains | regex | temporarily.*lock |
regex.icontains | regex | un-?usua[li].activity |
regex.icontains | regex | unable.*deliver |
regex.icontains | regex | unauthorized.*activit |
regex.icontains | regex | unauthorized.device |
regex.icontains | regex | undelivered message |
regex.icontains | regex | unread.*doc |
regex.icontains | regex | unusual.activity |
regex.icontains | regex | upgrade.*account |
regex.icontains | regex | upgrade.notice |
regex.icontains | regex | urgent message |
regex.icontains | regex | urgent.verification |
regex.icontains | regex | v[il1]o[li1]at[il1]on security |
regex.icontains | regex | va[il1]{1}date.*ma[il1]{2}[ -]?box |
regex.icontains | regex | verification ?-?require |
regex.icontains | regex | verification( )?-?need |
regex.icontains | regex | verify.your?.account |
regex.icontains | regex | web ?-?ma[il1]{2} |
regex.icontains | regex | web[ -]?ma[il1]{2} |
regex.icontains | regex | will.be.suspended |
regex.icontains | regex | your (customer )?account .as |
regex.icontains | regex | your.office.365 |
regex.icontains | regex | your.online.access |
regex.icontains | regex | Admin |
regex.icontains | regex | Administrator |
regex.icontains | regex | Alert |
regex.icontains | regex | Assistant |
regex.icontains | regex | Billing |
regex.icontains | regex | Benefits |
regex.icontains | regex | Bonus |
regex.icontains | regex | CEO |
regex.icontains | regex | CFO |
regex.icontains | regex | CIO |
regex.icontains | regex | CTO |
regex.icontains | regex | Chairman |
regex.icontains | regex | Claim |
regex.icontains | regex | Confirm |
regex.icontains | regex | Critical |
regex.icontains | regex | Customer Service |
regex.icontains | regex | Deal |
regex.icontains | regex | Discount |
regex.icontains | regex | Director |
regex.icontains | regex | Exclusive |
regex.icontains | regex | Executive |
regex.icontains | regex | Fax |
regex.icontains | regex | Free |
regex.icontains | regex | Gift |
regex.icontains | regex | /bHR/b |
regex.icontains | regex | Helpdesk |
regex.icontains | regex | Human Resources |
regex.icontains | regex | Immediate |
regex.icontains | regex | Important |
regex.icontains | regex | Info |
regex.icontains | regex | Information |
regex.icontains | regex | Invoice |
regex.icontains | regex | \bIT\b |
regex.icontains | regex | Legal |
regex.icontains | regex | Lottery |
regex.icontains | regex | Management |
regex.icontains | regex | Manager |
regex.icontains | regex | Member Services |
regex.icontains | regex | Notification |
regex.icontains | regex | Offer |
regex.icontains | regex | Operations |
regex.icontains | regex | Order |
regex.icontains | regex | Partner |
regex.icontains | regex | Payment |
regex.icontains | regex | Payroll |
regex.icontains | regex | President |
regex.icontains | regex | Premium |
regex.icontains | regex | Prize |
regex.icontains | regex | Receipt |
regex.icontains | regex | Refund |
regex.icontains | regex | Registrar |
regex.icontains | regex | Required |
regex.icontains | regex | Reward |
regex.icontains | regex | Sales |
regex.icontains | regex | Secretary |
regex.icontains | regex | Security |
regex.icontains | regex | Service |
regex.icontains | regex | Signature |
regex.icontains | regex | SSA |
regex.icontains | regex | Storage |
regex.icontains | regex | Support |
regex.icontains | regex | Sweepstakes |
regex.icontains | regex | System |
regex.icontains | regex | Tax |
regex.icontains | regex | Tech Support |
regex.icontains | regex | Update |
regex.icontains | regex | Upgrade |
regex.icontains | regex | Urgent |
regex.icontains | regex | Validate |
regex.icontains | regex | Verify |
regex.icontains | regex | VIP |
regex.icontains | regex | Webmaster |
regex.icontains | regex | Winner |
strings.ends_with | suffix | .exe |
strings.icontains | substring | Vercel Security Checkpoint |
strings.icontains | substring | https://vercel.link/security-checkpoint |