Detection rules › Sublime MQL
Spam: Campaign with excessive space/char obfuscation and free file hosted link
This rule detects mass spam campaigns using excessive space padding with links utilizing free file hosting.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Free file host |
Event coverage
| Message attribute |
|---|
| body |
| body.html |
| body.links (collection) |
| sender.email |
| type |
Rule body MQL
type.inbound
and length(attachments) == 0
and regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
'([a-zA-Z\d\.]\s){30,}'
)
and any(body.links,
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or profile.by_sender().any_messages_malicious_or_spam
or sender.email.domain.valid == false
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
This rule detects mass spam campaigns using excessive space padding with links utilizing free file hosting.
- inbound message
- length(attachments) is 0
- coalesce(body.html.inner_text, body.html.display_text) matches '([a-zA-Z\\d\\.]\\s){30,}'
any of
body.linkswhere any holds:- .href_url.domain.domain in $free_file_hosts
- .href_url.domain.root_domain in $free_file_hosts
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
- profile.by_sender().any_messages_malicious_or_spam
- sender.email.domain.valid is False
not:
- profile.by_sender().any_messages_benign
Inspects: body.html.display_text, body.html.inner_text, body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, sender.email.domain.valid, type.inbound. Sensors: profile.by_sender, regex.icontains. Reference lists: $free_file_hosts.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | ([a-zA-Z\d\.]\s){30,} |