Detection rules › Sublime MQL
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| body |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and (
any(body.links,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.href_url.domain.domain not in $free_file_hosts
and .href_url.domain.root_domain not in $free_file_hosts
and .href_url.domain.domain not in $tranco_1m
and .href_url.domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .href_url.domain.root_domain not in $tranco_1m
and .href_url.domain.root_domain not in $umbrella_1m
and .href_url.domain.root_domain not in $free_subdomain_hosts
and .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
or any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.domain.domain not in $free_file_hosts
and .domain.root_domain not in $free_file_hosts
and .domain.domain not in $free_subdomain_hosts
and .domain.domain not in $tranco_1m
and .domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
and .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
)
)
)
Detection logic
Scope: inbound message.
Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments
- inbound message
any of:
any of
body.linkswhere all hold:- .href_url.domain.domain not in $free_file_hosts
- .href_url.domain.root_domain not in $free_file_hosts
- .href_url.domain.domain not in $tranco_1m
- .href_url.domain.domain not in $umbrella_1m
- .href_url.domain.root_domain not in $tranco_1m
- .href_url.domain.root_domain not in $umbrella_1m
- .href_url.domain.root_domain not in $free_subdomain_hosts
- .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
any of
attachmentswhere all hold:- .file_type is 'pdf'
any of
file.explode(.)where:any of
.scan.pdf.urlswhere all hold:- .domain.domain not in $free_file_hosts
- .domain.root_domain not in $free_file_hosts
- .domain.domain not in $free_subdomain_hosts
- .domain.domain not in $tranco_1m
- .domain.domain not in $umbrella_1m
- .domain.root_domain not in $tranco_1m
- .domain.root_domain not in $umbrella_1m
- .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
Inspects: attachments[].file_type, body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, type.inbound. Sensors: file.explode. Reference lists: $abuse_ch_urlhaus_domains_trusted_reporters, $free_file_hosts, $free_subdomain_hosts, $tranco_1m, $umbrella_1m.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | pdf |