Detection rules › Sublime MQL
Reconnaissance: Empty message from uncommon sender
Detects incoming messages that are completely empty, containing no subject line, message body content, or file attachments. Such messages may be used for reconnaissance, delivery confirmation, or as part of multi-stage attacks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Evasion, Social engineering |
Event coverage
| Message attribute |
|---|
| body.html |
| body.plain |
| subject |
| type |
Rule body MQL
type.inbound
and subject.base == ""
and (
body.plain.raw is null
or body.plain.raw == ""
or regex.imatch(body.plain.raw, '^\s*$')
)
and (
body.html.raw is null
or body.html.raw == ""
or regex.imatch(body.html.raw, '^\s*$')
)
and length(attachments) == 0
and profile.by_sender().prevalence != "common"
Detection logic
Scope: inbound message.
Detects incoming messages that are completely empty, containing no subject line, message body content, or file attachments. Such messages may be used for reconnaissance, delivery confirmation, or as part of multi-stage attacks.
- inbound message
- subject.base is ''
any of:
- body.plain.raw is missing
- body.plain.raw is ''
- body.plain.raw matches '^\\s*$'
any of:
- body.html.raw is missing
- body.html.raw is ''
- body.html.raw matches '^\\s*$'
- length(attachments) is 0
- profile.by_sender().prevalence is not 'common'
Inspects: body.html.raw, body.plain.raw, subject.base, type.inbound. Sensors: profile.by_sender, regex.imatch.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
subject.base | equals | |
body.plain.raw | equals | |
regex.imatch | regex | ^\s*$ |
body.html.raw | equals | |