Spam: Single recipient duplicated in cc

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Spam
Tactics and techniques	Impersonation: Brand, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
recipients
recipients.cc (collection)
recipients.to (collection)
sender.email
subject
type

Rule body MQL

type.inbound

// one recipient and 1 cc
and length(recipients.to) == 1
and length(recipients.cc) == 1

// unsolicited
and not profile.by_sender().solicited

// recipients email matches the cc email
and any(recipients.to, any(recipients.cc, .email.email == ..email.email))

// body is short with spam keywords
and (
  (
    length(body.current_thread.text) < 150
    and strings.ilike(body.current_thread.text,
                      "*congrat*",
                      "*win*",
                      "*expired*",
                      "*subscription*",
                      "*won*",
                      "*gift*",
                      "*CARTE CADEAU*",
                      "*Votre chance*",
                      "*survey*",
                      "*livraison*",
                      "*delivery*",
                      "*package*"
    )
  )

  // body is super short
  or length(body.current_thread.text) < 10

  // body has no spaces
  or regex.imatch(body.current_thread.text, '[^ ]+')

  // subject is null
  or subject.subject == ""

  // dmarc failure
  or not headers.auth_summary.dmarc.pass

  // or display text contains suspicious terms
  or any(body.links,
         regex.icontains(.display_text,
                         'Congrat|Survey|package|delivery|\bclaim\b'
         )
         and not .href_url.domain.root_domain == "surveymonkey.com"
  )

  // compauth failure
  or any(headers.hops,
         .authentication_results.compauth.verdict not in (
           "pass",
           "softpass",
           "none"
         )
  )

  // all links display text is null or aka.ms
  or (
    length(filter(body.links,
                  (
                    (
                      .display_text is null
                      and .href_url.domain.root_domain != sender.email.domain.root_domain
                    )
                    or .href_url.domain.root_domain in (
                      "aka.ms",
                      "mimecast.com",
                      "mimecastprotect.com",
                      "cisco.com"
                    )
                  )
           )
    ) == length(body.links)
  )
  or (
    // fake thread check
    regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:.*')
    and (
      (length(headers.references) == 0 and headers.in_reply_to is null)
      or headers.in_reply_to is null
    )
  )
)

Detection logic

Scope: inbound message.

Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links.

inbound message
length(recipients.to) is 1
length(recipients.cc) is 1
not:
- profile.by_sender().solicited
any of recipients.to where:
- any of recipients.cc where:
  - .email.email is .email.email
any of:
- all of:
  - length(body.current_thread.text) < 150
  - body.current_thread.text matches any of 12 patterns
    
    *congrat*
    *win*
    *expired*
    *subscription*
    *won*
    *gift*
    *CARTE CADEAU*
    *Votre chance*
    *survey*
    *livraison*
    *delivery*
    *package*
- length(body.current_thread.text) < 10
- body.current_thread.text matches '[^ ]+'
- subject.subject is ''
- not:
  - headers.auth_summary.dmarc.pass
- any of body.links where all hold:
  - .display_text matches 'Congrat|Survey|package|delivery|\\bclaim\\b'
  - not:
    
    .href_url.domain.root_domain is 'surveymonkey.com'
- any of headers.hops where:
  - .authentication_results.compauth.verdict not in ('pass', 'softpass', 'none')
- length(filter(body.links, .display_text is null and .href_url.domain.root_domain != sender.email.domain.root_domain or .href_url.domain.root_domain in ('aka.ms', 'mimecast.com', 'mimecastprotect.com', 'cisco.com'))) is length(body.links)
- all of:
  - subject.subject matches '(\\[[^\\]]+\\]\\s?){0,3}(re|fwd?)\\s?:.*'
  - any of:
    
    all of:
    
    length(headers.references) is 0
    headers.in_reply_to is missing
    headers.in_reply_to is missing

Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].authentication_results.compauth.verdict, headers.in_reply_to, headers.references, recipients.cc, recipients.cc[].email.email, recipients.to, recipients.to[].email.email, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: profile.by_sender, regex.icontains, regex.imatch, strings.ilike.

Indicators matched (24)

Field	Match	Value
`strings.ilike`	substring	`congrat`
`strings.ilike`	substring	`win`
`strings.ilike`	substring	`expired`
`strings.ilike`	substring	`subscription`
`strings.ilike`	substring	`won`
`strings.ilike`	substring	`gift`
`strings.ilike`	substring	`CARTE CADEAU`
`strings.ilike`	substring	`Votre chance`
`strings.ilike`	substring	`survey`
`strings.ilike`	substring	`livraison`
`strings.ilike`	substring	`delivery`
`strings.ilike`	substring	`package`

12 more

`regex.imatch`	regex	`[^ ]+`
`subject.subject`	equals
`regex.icontains`	regex	`Congrat\|Survey\|package\|delivery\|\bclaim\b`
`body.links[].href_url.domain.root_domain`	equals	`surveymonkey.com`
`headers.hops[].authentication_results.compauth.verdict`	member	`pass`
`headers.hops[].authentication_results.compauth.verdict`	member	`softpass`
`headers.hops[].authentication_results.compauth.verdict`	member	`none`
`body.links[].href_url.domain.root_domain`	member	`aka.ms`
`body.links[].href_url.domain.root_domain`	member	`mimecast.com`
`body.links[].href_url.domain.root_domain`	member	`mimecastprotect.com`
`body.links[].href_url.domain.root_domain`	member	`cisco.com`
`regex.imatch`	regex	`(\[[^\]]+\]\s?){0,3}(re\|fwd?)\s?:.*`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)