Detection rules › Sublime MQL
Spam: Cryptocurrency airdrop/giveaway
Detects messages promoting cryptocurrency airdrops, token claims, or wallet-related rewards.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Social engineering, Impersonation: Brand |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| headers.auth_summary |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Financial Communications")
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
'Newsletters and Digests',
'News and Current Events',
'Legal and Compliance'
)
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
// action word
and (
strings.ilike(subject.base, '*airdrop*')
or strings.like(body.current_thread.text, '*airdrop*')
or strings.ilike(subject.base, '*giveaway*')
or strings.like(body.current_thread.text, '*giveaway*')
or regex.icontains(body.current_thread.text, 'receive \$\d{2,5} worth')
or regex.icontains(body.current_thread.text,
'claim your (allocation|airdrop|bonus|share|\$\d{2,5})'
)
or regex.icontains(body.current_thread.text, 'connect .{0,20} wallet')
)
and not regex.icontains(body.current_thread.text, '\$\d{2,4} (off|cash)')
and (
// crypto keyword
regex.icontains(body.current_thread.text,
'\bmetamask\b',
'\bethereum\b',
'\bbinance\b',
'\bgemini\b',
'\bwallet\b',
'\bkraken\b',
'\bsolana\b',
'\btrezor\b',
'\bledger\b'
)
// token name, e.g. $USDT
or regex.contains(body.current_thread.text, '\s\$[A-Z]{3,4}\s')
)
and not (
sender.email.domain.root_domain in (
"gemini.com",
"ledger.com",
"binance.com",
"trezor.io",
"kraken.com",
"solana.com",
"metamask.com",
"ethereum.org",
"bloomberg.com"
)
and headers.auth_summary.dmarc.pass
)
Detection logic
Scope: inbound message.
Detects messages promoting cryptocurrency airdrops, token claims, or wallet-related rewards.
- inbound message
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name in ('Financial Communications')
not:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name in ('Newsletters and Digests', 'News and Current Events', 'Legal and Compliance')
not:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'benign'
- .confidence is 'high'
any of:
- subject.base matches '*airdrop*'
- body.current_thread.text matches '*airdrop*'
- subject.base matches '*giveaway*'
- body.current_thread.text matches '*giveaway*'
- body.current_thread.text matches 'receive \\$\\d{2,5} worth'
- body.current_thread.text matches 'claim your (allocation|airdrop|bonus|share|\\$\\d{2,5})'
- body.current_thread.text matches 'connect .{0,20} wallet'
not:
- body.current_thread.text matches '\\$\\d{2,4} (off|cash)'
any of:
body.current_thread.text matches any of 9 patterns
\bmetamask\b\bethereum\b\bbinance\b\bgemini\b\bwallet\b\bkraken\b\bsolana\b\btrezor\b\bledger\b
- body.current_thread.text matches '\\s\\$[A-Z]{3,4}\\s'
not:
all of:
- sender.email.domain.root_domain in ('gemini.com', 'ledger.com', 'binance.com', 'trezor.io', 'kraken.com', 'solana.com', 'metamask.com', 'ethereum.org', 'bloomberg.com')
- headers.auth_summary.dmarc.pass
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: ml.nlu_classifier, regex.contains, regex.icontains, strings.ilike, strings.like.
Indicators matched (33)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Financial Communications |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Newsletters and Digests |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | News and Current Events |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Legal and Compliance |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | benign |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |
strings.ilike | substring | *airdrop* |
strings.like | substring | *airdrop* |
strings.ilike | substring | *giveaway* |
strings.like | substring | *giveaway* |
regex.icontains | regex | receive \$\d{2,5} worth |
regex.icontains | regex | claim your (allocation|airdrop|bonus|share|\$\d{2,5}) |
21 more
regex.icontains | regex | connect .{0,20} wallet |
regex.icontains | regex | \$\d{2,4} (off|cash) |
regex.icontains | regex | \bmetamask\b |
regex.icontains | regex | \bethereum\b |
regex.icontains | regex | \bbinance\b |
regex.icontains | regex | \bgemini\b |
regex.icontains | regex | \bwallet\b |
regex.icontains | regex | \bkraken\b |
regex.icontains | regex | \bsolana\b |
regex.icontains | regex | \btrezor\b |
regex.icontains | regex | \bledger\b |
regex.contains | regex | \s\$[A-Z]{3,4}\s |
sender.email.domain.root_domain | member | gemini.com |
sender.email.domain.root_domain | member | ledger.com |
sender.email.domain.root_domain | member | binance.com |
sender.email.domain.root_domain | member | trezor.io |
sender.email.domain.root_domain | member | kraken.com |
sender.email.domain.root_domain | member | solana.com |
sender.email.domain.root_domain | member | metamask.com |
sender.email.domain.root_domain | member | ethereum.org |
sender.email.domain.root_domain | member | bloomberg.com |