Detection rules › Sublime MQL
Subject: Suspicious bracketed reference
Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Impersonation: Brand |
Event coverage
Rule body MQL
type.inbound
and strings.contains(subject.base, '[')
and strings.ends_with(subject.base, ']')
and any(regex.extract(subject.base,
'\[(?P<first>.)(?P<second>.)\-(?P<second_part>[^\-]+)\-(?P<third_section>[^\]]+)\]$'
),
.named_groups["first"] == .named_groups["second"]
and regex.match(.named_groups["second_part"], '^\d+$')
and regex.contains(.named_groups["third_section"], '\d+$')
and strings.istarts_with(.named_groups["third_section"],
.named_groups["first"]
)
)
Detection logic
Scope: inbound message.
Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems.
- inbound message
- subject.base contains '['
- subject.base ends with ']'
any of
regex.extract(subject.base)where all hold:- .named_groups['first'] is .named_groups['second']
- .named_groups['second_part'] matches '^\\d+$'
- .named_groups['third_section'] matches '\\d+$'
- strings.istarts_with(.named_groups['third_section'])
Inspects: subject.base, type.inbound. Sensors: regex.contains, regex.extract, regex.match, strings.contains, strings.ends_with, strings.istarts_with.
Indicators matched (5)
| Field | Match | Value |
|---|---|---|
strings.contains | substring | [ |
strings.ends_with | suffix | ] |
regex.extract | regex | \[(?P<first>.)(?P<second>.)\-(?P<second_part>[^\-]+)\-(?P<third_section>[^\]]+)\]$ |
regex.match | regex | ^\d+$ |
regex.contains | regex | \d+$ |