Detection rules › Sublime MQL
Reconnaissance: Email address harvesting attempt
Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Credential Phishing, Spam |
| Tactics and techniques | Free email provider, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and length(subject.base) <= 15
// detect email addresses in body text
and (
regex.imatch(body.current_thread.text,
'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
)
)
// external freemail sender
and sender.email.domain.root_domain in $free_email_providers
// no attachments but allow one link
and length(attachments) == 0
and length(body.current_thread.links) == 1
Detection logic
Scope: inbound message.
Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
- inbound message
- length(subject.base) ≤ 15
- body.current_thread.text matches '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}'
- sender.email.domain.root_domain in $free_email_providers
- length(attachments) is 0
- length(body.current_thread.links) is 1
Inspects: body.current_thread.links, body.current_thread.text, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: regex.imatch. Reference lists: $free_email_providers.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
regex.imatch | regex | [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,} |