detection.wiki

Detection rules › Sublime MQL

Spam: Mastercard promotional content with image-based body

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages promoting untrustworthy Mastercard credit cards that contain both financial communications and promotional content topics, with the message body primarily consisting of image content rather than text. Excludes legitimate payment-related Mastercard communications and applies additional scrutiny to high-trust sender domains that fail DMARC authentication.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Spam
Tactics and techniquesImage as content, Impersonation: Brand, Social engineering

Event coverage

Message attribute
body
headers.auth_summary
sender.email
subject
type

Rule body MQL

type.inbound
and length(attachments) == 0
and not subject.is_forward
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
        .name == "Financial Communications"
)
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
        .name == "Advertising and Promotions"
)

// mastercard mention
and strings.icontains(beta.ocr(file.message_screenshot()).text, "mastercard")
and not strings.icontains(beta.ocr(file.message_screenshot()).text,
                          "paying with mastercard"
)

// body is image
and (
  length(beta.ocr(file.message_screenshot()).text) / length(body.current_thread.text
  )
) > 10
and length(body.previous_threads) == 0

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Detects messages promoting untrustworthy Mastercard credit cards that contain both financial communications and promotional content topics, with the message body primarily consisting of image content rather than text. Excludes legitimate payment-related Mastercard communications and applies additional scrutiny to high-trust sender domains that fail DMARC authentication.

  1. inbound message
  2. length(attachments) is 0
  3. not:
    • subject.is_forward
  4. any of ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics where:
    • .name is 'Financial Communications'
  5. any of ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics where:
    • .name is 'Advertising and Promotions'
  6. beta.ocr(file.message_screenshot()).text contains 'mastercard'
  7. not:
    • beta.ocr(file.message_screenshot()).text contains 'paying with mastercard'
  8. length(beta.ocr(file.message_screenshot()).text) / length(body.current_thread.text) > 10
  9. length(body.previous_threads) is 0
  10. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: body.previous_threads, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, subject.is_forward, type.inbound. Sensors: beta.ocr, file.message_screenshot, ml.nlu_classifier, strings.icontains. Reference lists: $high_trust_sender_root_domains.

Indicators matched (4)

FieldMatchValue
ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics[].nameequalsFinancial Communications
ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics[].nameequalsAdvertising and Promotions
strings.icontainssubstringmastercard
strings.icontainssubstringpaying with mastercard