Suspected lookalike domain with suspicious language

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

This rule identifies messages where links use typosquatting or lookalike domains similar to the sender domain, with at least one domain being either unregistered or recently registered (≤90 days). The messages must also contain indicators of business email compromise (BEC), credential theft, or abusive language patterns like financial terms or polite phrasing such as kindly. This layered approach targets phishing attempts combining domain deception with manipulative content

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	BEC/Fraud
Tactics and techniques	Evasion, Lookalike domain, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
sender.email
type

Rule body MQL

type.inbound

// levenshtein distance (edit distance) between the SLD of the link and the sender domain is greater than 0 and less than or equal to 2.
// This detects typosquatting or domains that are deceptively similar to the sender.
and any(body.links,
        length(.href_url.domain.sld) > 3
        and 0 < strings.levenshtein(.href_url.domain.sld,
                                    sender.email.domain.sld
        ) <= 2
        // exclude onmicrosoft.com
        and not sender.email.domain.root_domain == "onmicrosoft.com"
        and (
          // domains are not registered or registered within 90d
          // network.whois(.href_url.domain).found == false
          network.whois(.href_url.domain).days_old <= 90
          or network.whois(sender.email.domain).found == false
          or network.whois(sender.email.domain).days_old <= 90
        )
)
// the mesasge is intent is BEC or Cred Theft, or is talking about financial invoicing/banking language, or a request contains "kindly"
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("bec", "cred_theft")
        or any(ml.nlu_classifier(body.current_thread.text).entities,
               .name == "financial"
               and (
                 .text in ("invoice", "banking information")
                 or .name == "request" and strings.icontains(.text, "kindly")
               )
        )
)

Detection logic

Scope: inbound message.

inbound message
any of body.links where all hold:
- length(.href_url.domain.sld) > 3
- all of:
  - strings.levenshtein(.href_url.domain.sld) > 0
  - strings.levenshtein(.href_url.domain.sld) ≤ 2
- not:
  - sender.email.domain.root_domain is 'onmicrosoft.com'
- any of:
  - network.whois(.href_url.domain).days_old ≤ 90
  - network.whois(sender.email.domain).found is False
  - network.whois(sender.email.domain).days_old ≤ 90
any of ml.nlu_classifier(body.current_thread.text).intents where any holds:
- .name in ('bec', 'cred_theft')
- any of ml.nlu_classifier(body.current_thread.text).entities where all hold:
  - .name is 'financial'
  - any of:
    
    .text in ('invoice', 'banking information')
    all of:
    
    .name is 'request'
    .text contains 'kindly'

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain, body.links[].href_url.domain.sld, sender.email.domain, sender.email.domain.root_domain, sender.email.domain.sld, type.inbound. Sensors: ml.nlu_classifier, network.whois, strings.icontains, strings.levenshtein.

Indicators matched (8)

Field	Match	Value
`sender.email.domain.root_domain`	equals	`onmicrosoft.com`
`ml.nlu_classifier(body.current_thread.text).intents[].name`	member	`bec`
`ml.nlu_classifier(body.current_thread.text).intents[].name`	member	`cred_theft`
`ml.nlu_classifier(body.current_thread.text).entities[].name`	equals	`financial`
`ml.nlu_classifier(body.current_thread.text).entities[].text`	member	`invoice`
`ml.nlu_classifier(body.current_thread.text).entities[].text`	member	`banking information`
`ml.nlu_classifier(body.current_thread.text).entities[].name`	equals	`request`
`strings.icontains`	substring	`kindly`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)