Detection rules › Sublime MQL
Service abuse: Nylas tracking subdomain with suspicious content
Detects messages containing links to Nylas tracking subdomains with display text and suspicious language patterns, indicating potential abuse of the email tracking service.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Credential Phishing |
| Tactics and techniques | Evasion, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| type |
Rule body MQL
type.inbound
and any(filter(body.current_thread.links, .href_url.domain.sld == "nylas"),
.display_text is not null
and strings.icontains(.href_url.domain.subdomain, 'tracking')
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
Detection logic
Scope: inbound message.
Detects messages containing links to Nylas tracking subdomains with display text and suspicious language patterns, indicating potential abuse of the email tracking service.
- inbound message
any of
filter(body.current_thread.links)where all hold:- .display_text is set
- .href_url.domain.subdomain contains 'tracking'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is not 'low'
Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.sld, body.current_thread.text, type.inbound. Sensors: ml.nlu_classifier, strings.icontains.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
body.current_thread.links[].href_url.domain.sld | equals | nylas |
strings.icontains | substring | tracking |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |