Detection rules › Sublime MQL
Open redirect: tkqlhce.com
Message contains use of the tkqlhce.com redirect. This has been exploited in the wild for phishing.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques | Open redirect |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and length(body.links) < 10
and any(body.links,
.href_url.domain.root_domain == "tkqlhce.com"
and (
(
strings.icontains(.href_url.query_params, 'url=')
and not regex.icontains(.href_url.query_params,
'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f)'
)
)
or (
strings.icontains(.href_url.path, '/links/')
and strings.icontains(.href_url.path, '/type/dlg/')
and regex.icontains(.href_url.path, 'https?://')
and not regex.icontains(.href_url.path,
'/links/[^/]+/type/dlg/(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f)'
)
)
)
)
and not sender.email.domain.root_domain == "tkqlhce.com"
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Message contains use of the tkqlhce.com redirect. This has been exploited in the wild for phishing.
- inbound message
- length(body.links) < 10
any of
body.linkswhere all hold:- .href_url.domain.root_domain is 'tkqlhce.com'
any of:
all of:
- .href_url.query_params contains 'url='
not:
- .href_url.query_params matches 'url=(?:https?(?:%3a|:))?(?:%2f|\\/){2}[^&]*tkqlhce\\.com(?:\\&|\\/|$|%2f)'
all of:
- .href_url.path contains '/links/'
- .href_url.path contains '/type/dlg/'
- .href_url.path matches 'https?://'
not:
- .href_url.path matches '/links/[^/]+/type/dlg/(?:https?(?:%3a|:))?(?:%2f|\\/){2}[^&]*tkqlhce\\.com(?:\\&|\\/|$|%2f)'
not:
- sender.email.domain.root_domain is 'tkqlhce.com'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.path, body.links[].href_url.query_params, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: regex.icontains, strings.icontains. Reference lists: $high_trust_sender_root_domains.
Indicators matched (8)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.root_domain | equals | tkqlhce.com |
strings.icontains | substring | url= |
regex.icontains | regex | url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f) |
strings.icontains | substring | /links/ |
strings.icontains | substring | /type/dlg/ |
regex.icontains | regex | https?:// |
regex.icontains | regex | /links/[^/]+/type/dlg/(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f) |
sender.email.domain.root_domain | equals | tkqlhce.com |