Detection rules › Sublime MQL
Link: Suspicious URL with recipient targeting and special characters
Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Evasion |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| recipients |
| recipients.to (collection) |
| type |
Rule body MQL
type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
// a single path
strings.count(.href_url.path, '/') == 2
and (
strings.icontains(.href_url.path, '/$')
or strings.icontains(.href_url.path, '/*')
or strings.icontains(.href_url.url, '/#')
)
and (
// special char in the path
(
(
strings.icontains(.href_url.path, '!')
or strings.icontains(.href_url.path, '@')
)
// ensure expected ordering
and regex.icontains(.href_url.url, '[!@].*\/[$\*#]')
)
// num{3}alpha or alphanum{3}
or (
// in subdomain
regex.icontains(.href_url.domain.subdomain,
'^(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)(?:$|\.)'
)
// url path
and regex.icontains(.href_url.path,
'\/(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)\/'
)
)
)
and (
strings.icontains(.href_url.path, recipients.to[0].email.email)
or any(strings.scan_base64(.href_url.url,
ignore_padding=true,
format="url"
),
strings.icontains(., recipients.to[0].email.email)
)
)
)
Detection logic
Scope: inbound message.
Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.
- inbound message
- length(recipients.to) is 1
- recipients.to[0].email.domain.valid
any of
body.linkswhere all hold:- strings.count(.href_url.path, '/') is 2
any of:
- .href_url.path contains '/$'
- .href_url.path contains '/*'
- .href_url.url contains '/#'
any of:
all of:
any of:
- .href_url.path contains '!'
- .href_url.path contains '@'
- .href_url.url matches '[!@].*\\/[$\\*#]'
all of:
- .href_url.domain.subdomain matches '^(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)(?:$|\\.)'
- .href_url.path matches '\\/(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)\\/'
any of:
- strings.icontains(.href_url.path)
any of
strings.scan_base64(.href_url.url)where:- strings.icontains(.)
Inspects: body.links, body.links[].href_url.domain.subdomain, body.links[].href_url.path, body.links[].href_url.url, recipients.to, recipients.to[0].email.domain.valid, recipients.to[0].email.email, type.inbound. Sensors: regex.icontains, strings.count, strings.icontains, strings.scan_base64.
Indicators matched (8)
| Field | Match | Value |
|---|---|---|
strings.icontains | substring | /$ |
strings.icontains | substring | /* |
strings.icontains | substring | /# |
strings.icontains | substring | ! |
strings.icontains | substring | @ |
regex.icontains | regex | [!@].*\/[$\*#] |
regex.icontains | regex | ^(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)(?:$|\.) |
regex.icontains | regex | \/(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)\/ |