Detection rules › Sublime MQL
Service abuse: Trello board invitation with VIP impersonation
Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: VIP, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| headers (collection) |
| headers.hops (collection) |
| sender.email |
| type |
Rule body MQL
type.inbound
and sender.email.domain.root_domain == "trello.com"
// inspect the hops for two observed patterns
and any(headers.hops,
any(.fields,
// X-Msys-Api with campaign_id
(
.name =~ "X-Msys-Api"
and strings.icontains(.value, 'campaign_id":"invite_board_')
)
// X-Atl-Po-Triggerid with trello and invite board
or (
.name == "Feedback-Id"
and strings.icontains(.value, 'trello')
and regex.icontains(.value, 'invite[_-]board')
)
)
)
// inspect the body for two observed patterns
and (
// org_sld as the start of the board name with the org_vip as the sender
any(html.xpath(body.html, '//h2').nodes,
// org vip
any($org_vips, strings.icontains(..display_text, .display_name))
// org sld as the board name
and any($org_slds,
strings.icontains(..display_text,
strings.concat('invited you to their board ', .)
)
)
)
// pattern of the first name ending in `From` after the org_vip display name
or any(html.xpath(body.html,
'//div[img[@class="trello-member-avatar"]]/parent::div'
).nodes,
strings.starts_with(.display_text, 'A note from ')
and strings.iends_with(.display_text, 'From')
and any($org_vips, strings.icontains(..display_text, .display_name))
)
)
Detection logic
Scope: inbound message.
Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives.
- inbound message
- sender.email.domain.root_domain is 'trello.com'
any of
headers.hopswhere:any of
.fieldswhere any holds:all of:
- .name is 'X-Msys-Api'
- .value contains 'campaign_id":"invite_board_'
all of:
- .name is 'Feedback-Id'
- .value contains 'trello'
- .value matches 'invite[_-]board'
any of:
any of
html.xpath(body.html, '//h2').nodeswhere all hold:any of
$org_vipswhere:- strings.icontains(.display_text)
any of
$org_sldswhere:- strings.icontains(.display_text)
any of
html.xpath(body.html, '//div[img[@class="trello-member-avatar"]]/parent::div').nodeswhere all hold:- .display_text starts with 'A note from '
- .display_text ends with 'From'
any of
$org_vipswhere:- strings.icontains(.display_text)
Inspects: body.html, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, sender.email.domain.root_domain, type.inbound. Sensors: html.xpath, regex.icontains, strings.concat, strings.icontains, strings.iends_with, strings.starts_with. Reference lists: $org_slds, $org_vips.
Indicators matched (8)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | equals | trello.com |
headers.hops[].fields[].name | equals | X-Msys-Api |
strings.icontains | substring | campaign_id":"invite_board_ |
headers.hops[].fields[].name | equals | Feedback-Id |
strings.icontains | substring | trello |
regex.icontains | regex | invite[_-]board |
strings.starts_with | prefix | A note from |
strings.iends_with | suffix | From |