Community Spotlight: Email Detection Rules built by the Sublime Community

Sublime was created to do email security differently. Instead of walling off proprietary Detections like traditional solutions, we kept our Rules open and gave customers the tools to easily modify and create new, AI-powered Detection Rules whenever they wanted. No tickets necessary – just edit, test, iterate, and backtest Rules from an intuitive detection workbench.

If a Rule could benefit the larger Sublime community, it can be shared directly from the Rule Editor. If shared with us, the Rule goes directly to our Detection team for review. At that point, they will determine if the Rule should be added to our Core Feed, make revisions, perform testing, and then add it to the Feed.

If a rule is too niche to be considered for the Core Feed, it can still be shared on the Sublime Community Slack for other community members to review for themselves.

Community is important in security. The amount of attackers will always outnumber the amount of security practitioners on any given team. But as a community, we can work together to increase our security depth and reach. With that in mind, we’d like to shine a spotlight on a few of our community-contributed Detection Rules and thank the authors for making our community stronger.

Attachment: Office Document with VSTO Add-in

Rule: https://sublime.security/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730/

Author: @vector_sec

Attackers will often hide payloads within files commonly used by organizations. One method we’ve seen is to embed a malicious Visual Studio Tools for Office (VSTO) add-in within a Microsoft Office document. This rule starts by using lists to determine if an attachment could contain a macro or is an archive. It then uses .scan.exiftool to look at attachment metadata to determine if it contains a VSTO add-on created outside of trusted organization domains. Finally, it verifies that the email was both unsolicited (no previous outreach) and not previously flagged as a false positive.

type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or .file_extension in~ $file_extensions_common_archives
          or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
        )
        and any(file.explode(.),
                .file_extension in~ (
                  "doc",
                  "docm",
                  "docx",
                  "dot",
                  "dotm",
                  "xls",
                  "xlsx",
                  "xlsm",
                  "xlm",
                  "xlsb",
                  "xlt",
                  "xltm",
                  "ppt",
                  "pptx",
                  "pptm",
                  "ppsm"
                )
                and any(.scan.exiftool.fields,
                        .key == "Tag_AssemblyLocation" and strings.ilike(.value, "*.vsto*")
                        and not strings.ilike(.value, 'C:\Program Files*')
                        and not any($org_domains, strings.contains(..value, .))
                )
        )
)
// the message is unsolicited and no false positives
and (
  not profile.by_sender().solicited
  or (
    length(headers.reply_to) > 0
    and all(headers.reply_to, .email.email not in $recipient_emails)
  )
)
and not profile.by_sender().any_false_positives

Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment

Rule: https://sublime.security/feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b/

Author: @ajpc500

This Detection Rule was originally created to detect QakBot attacks that leveraged double Base64 encoded ZIP files smuggled in HTML attachments. Similar to the previous rule, it first rules out any senders that are known or confirmed safe. It then looks for any attached HTML files. If any are attached, it uses the FileExplode function in order to search for specific strings. It then uses the ilike function to search for specific wildcard-wrapped strings that are the hallmark of double Base64-encoded ZIP files.

type.inbound
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and any(attachments,
        .file_extension in ("html", "htm")
        and any(file.explode(.),
                any(.scan.strings.strings,
                    strings.ilike(.,
                                  // Double Base64 encoded zips
                                  "*VUVzREJCUUFBUUFJQ*",
                                  "*VFc0RCQlFBQVFBSU*",
                                  "*VRXNEQkJRQUFRQUlB*",
                                  // Reversed base64 strings double encoded zips
                                  "*QJFUUBFUUCJERzVUV*",
                                  "*USBFVQBFlQCR0cFV*",
                                  "*BlUQRFUQRJkQENXRV*"
                    )
                )
        )
)

Attachment: HTML smuggling with ROT13

Rule: https://sublime.security/feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf/

Author: @Kyle_Parrish_

Attackers will use obfuscation techniques to bypass email security filters. This Detection Rule analyzes attached HTML files to find ROT13-based obfuscation within JavaScript identifiers. While not complex, this Detection Rule highlights the ease with which a detection engineer can shut down novel attacks quickly with Message Query Language (MQL). As with the above rules, after this rule was created by the author, it was shared with Sublime for inclusion in our Core Feed.

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
        )
        and any(file.explode(.),
                any(.scan.javascript.identifiers, . in~ ("rot13"))
                and length(.scan.javascript.identifiers) < 100
        )
)

Email security as strong as its community

Once more, we want to thank the Sublime Community for all of their contributions to our Core Feed. While the majority of our customers and users don't write their own rules, we’re always excited to see the interesting rules that get cooked up along the edges.

If you’d like to see the power of Sublime for yourself, get an expert demo today.