Detection rules › Sublime MQL
Spam: Sexually explicit content with emoji in subject from freemail provider
Detects messages from free email providers that contain sexually explicit content and include emojis in the subject line.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Free email provider, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
// sender is a freemail domain
and sender.email.domain.root_domain in $free_email_providers
// look for commonly used emojis in sexually explicit messages
and regex.icontains(subject.subject,
'(\x{1F346}|\x{1F608}|\x{1F609}|\x{1F351}|\x{2764}|\x{1F60D}|\x{1F618}|\x{1F48B}|\x{1F63B}|\x{1F445}|\x{1F51E}|\x{1F525}|\x{1F4F7})'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == 'Sexually Explicit Messages'
)
Detection logic
Scope: inbound message.
Detects messages from free email providers that contain sexually explicit content and include emojis in the subject line.
- inbound message
- sender.email.domain.root_domain in $free_email_providers
- subject.subject matches '(\\x{1F346}|\\x{1F608}|\\x{1F609}|\\x{1F351}|\\x{2764}|\\x{1F60D}|\\x{1F618}|\\x{1F48B}|\\x{1F63B}|\\x{1F445}|\\x{1F51E}|\\x{1F525}|\\x{1F4F7})'
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name is 'Sexually Explicit Messages'
Inspects: body.current_thread.text, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.icontains. Reference lists: $free_email_providers.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | (\x{1F346}|\x{1F608}|\x{1F609}|\x{1F351}|\x{2764}|\x{1F60D}|\x{1F618}|\x{1F48B}|\x{1F63B}|\x{1F445}|\x{1F51E}|\x{1F525}|\x{1F4F7}) |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | Sexually Explicit Messages |