Detection rules › Sublime MQL
Link: Zoho form link from unsolicited sender
This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing |
| Tactics and techniques | Free file host |
Event coverage
Rule body MQL
type.inbound
// filter links to zoho forms
and any(filter(body.links,
// zoho forms link
.href_url.domain.domain == 'forms.zohopublic.com'
// remove a common FP for linking directly
and not strings.istarts_with(.href_url.path, '/quickbooking/')
),
// remove FPs by checking there is only one link
// ensure the link is within the current_thread
(
strings.contains(body.current_thread.text, .display_text)
or strings.contains(body.current_thread.text, .href_url.url)
)
// and ensure that link only occurs once within body.html
and (
(
body.html.raw is not null
and (
strings.count(body.html.raw, .display_text) == 1
or strings.count(body.html.raw, .href_url.url) == 1
)
)
or (
// and ensure that link only occurs once within plaintext if html.raw is null
body.plain.raw is not null
and (
strings.count(body.plain.raw, .display_text) == 1
or strings.count(body.plain.raw, .href_url.url) == 1
)
)
)
)
// dont match messages with lots of links or long bodies, often marketing messages
and length(body.links) < 20
and length(body.current_thread.text) < 900
// not solicited or from malicious/spam user with no FPs
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing.
- inbound message
any of
filter(body.links)where all hold:any of:
- strings.contains(body.current_thread.text)
- strings.contains(body.current_thread.text)
any of:
all of:
- body.html.raw is set
any of:
- strings.count(body.html.raw) is 1
- strings.count(body.html.raw) is 1
all of:
- body.plain.raw is set
any of:
- strings.count(body.plain.raw) is 1
- strings.count(body.plain.raw) is 1
- length(body.links) < 20
- length(body.current_thread.text) < 900
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, body.html.raw, body.links, body.links[].href_url.domain.domain, body.links[].href_url.path, body.plain.raw, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.contains, strings.count, strings.istarts_with. Reference lists: $high_trust_sender_root_domains.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.domain | equals | forms.zohopublic.com |
strings.istarts_with | prefix | /quickbooking/ |