Detection rules › Sublime MQL
Spam: URL shortener with short body content and emojis
Detects spam from freemail senders, where the majority of the body is a URL shortener and emojis.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Free email provider |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| body.plain |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
// sender is a freemail
and sender.email.domain.root_domain in $free_email_providers
// has a URL shortener
and any(body.links,
.href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
)
// short body, basically just the URL
and length(body.plain.raw) < 100
// has an emoji in the subject or body
and (
regex.contains(body.plain.raw,
'[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
)
or regex.contains(subject.subject,
'[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Detects spam from freemail senders, where the majority of the body is a URL shortener and emojis.
- inbound message
- sender.email.domain.root_domain in $free_email_providers
any of
body.linkswhere any holds:- .href_url.domain.root_domain in $url_shorteners
- .href_url.domain.root_domain in $social_landing_hosts
- length(body.plain.raw) < 100
any of:
- body.plain.raw matches '[\\x{1F300}-\\x{1F5FF}\\x{1F600}-\\x{1F64F}\\x{1F680}-\\x{1F6FF}\\x{1F700}-\\x{1F77F}\\x{1F780}-\\x{1F7FF}\\x{1F900}-\\x{1F9FF}\\x{2600}-\\x{26FF}\\x{2700}-\\x{27BF}\\x{2300}-\\x{23FF}]'
- subject.subject matches '[\\x{1F300}-\\x{1F5FF}\\x{1F600}-\\x{1F64F}\\x{1F680}-\\x{1F6FF}\\x{1F700}-\\x{1F77F}\\x{1F780}-\\x{1F7FF}\\x{1F900}-\\x{1F9FF}\\x{2600}-\\x{26FF}\\x{2700}-\\x{27BF}\\x{2300}-\\x{23FF}]'
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: body.links, body.links[].href_url.domain.root_domain, body.plain.raw, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: profile.by_sender, regex.contains. Reference lists: $free_email_providers, $social_landing_hosts, $url_shorteners.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
regex.contains | regex | [\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}] |