detection.wiki

Detection rules › Sublime MQL

VIP / Executive impersonation in subject (untrusted)

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before. The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender. Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesImpersonation: VIP

Event coverage

Message attribute
attachments (collection)
headers.auth_summary
mailbox
recipients
recipients.to (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
and any($org_vips,
        strings.contains(subject.subject, .display_name)
        and strings.contains(.display_name, " ")
)
// not being sent to said VIP
and not (
  (
    length(recipients.to) == 1
    and all(recipients.to,
            any($org_vips,
                .email == ..email.email
                and strings.contains(subject.subject, .display_name)
                and strings.contains(.display_name, " ")
            )
    )
  )
)
and (
  // ignore personal <> work emails
  // where the sender and mailbox's display name are the same
  length(recipients.to) > 0
  or length(recipients.cc) > 0
  or sender.display_name != mailbox.display_name
)
// bounce-back negations
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not any(attachments,
            .content_type in (
              "message/rfc822",
              "message/delivery-status",
              "text/calendar"
            )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before. The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender. Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

  1. inbound message
  2. any of $org_vips where all hold:
    • strings.contains(subject.subject)
    • .display_name contains ' '
  3. not:
    • all of:
      • length(recipients.to) is 1
      • all of recipients.to where:
        • any of $org_vips where all hold:
          • .email is .email.email
          • strings.contains(subject.subject)
          • .display_name contains ' '
  4. any of:
    • length(recipients.to) > 0
    • length(recipients.cc) > 0
    • sender.display_name is not mailbox.display_name
  5. not:
    • sender.email.local_part matches any of 3 patterns
      • *postmaster*
      • *mailer-daemon*
      • *administrator*
  6. not:
    • any of attachments where:
      • .content_type in ('message/rfc822', 'message/delivery-status', 'text/calendar')
  7. any of:
    • all of:
      • profile.by_sender().prevalence in ('new', 'outlier')
      • not:
        • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  8. any of:
    • all of:
      • sender.email.domain.root_domain in $org_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $org_domains
  9. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: attachments[].content_type, headers.auth_summary.dmarc.pass, mailbox.display_name, recipients.cc, recipients.to, recipients.to[].email.email, sender.display_name, sender.email.domain.root_domain, sender.email.local_part, subject.subject, type.inbound. Sensors: profile.by_sender, strings.contains, strings.like. Reference lists: $high_trust_sender_root_domains, $org_domains, $org_vips.

Indicators matched (7)

FieldMatchValue
strings.containssubstring
strings.likesubstring*postmaster*
strings.likesubstring*mailer-daemon*
strings.likesubstring*administrator*
attachments[].content_typemembermessage/rfc822
attachments[].content_typemembermessage/delivery-status
attachments[].content_typemembertext/calendar