Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Attack Types
Profiles of cyber threats that pinpoint the attackers' primary intent, whether it's to steal credentials, distribute malware, or commit fraud.
BEC/Fraud
BEC/Fraud often involves deceptive tactics that don't require malicious content as well as the impersonation of employees, VIPs, vendors, or other trusted entities to deceive employees into transferring funds or sharing sensitive data. Lacking malicious URLs or attachments, they exploit human vulnerabilities and rely on social engineering tactics.
Callback Phishing
Callback phishing involves the impersonation of reputable organizations to persuade victims into calling a phone number, thereby bypassing traditional email-based phishing detection. This leads to potential outcomes like fraud, data theft, identity theft, and malware distribution.
Credential Phishing
Credential phishing involves tricking victims into providing their login credentials, often through deceptive email messages and websites that mimic legitimate platforms. The stolen credentials are then used to access sensitive data or commit fraudulent activities.
Extortion
Extortion involves coercing victims by holding sensitive information or assets hostage while demanding ransom or other concessions.
Malware/Ransomware
Malware/Ransomware involves the distribution of malicious software. Once infiltrated, this software can hijack, damage, or block access to systems, often requiring a ransom payment for data retrieval.
Reconnaissance
Attackers use reconnaissance emails to test the waters of an organization's email security defenses, verifying deliverability to intended recipients, confirming the validity of specific email addresses, and assessing the effectiveness of spam filters and other security measures in place. The information gathered from these reconnaissance activities can then be used to tailor more targeted and damaging attacks, such as credential phishing or business email compromise (BEC) attacks, with a higher chance of success.
Spam
Spam is unsolicited bulk email, primarily sent for commercial or marketing purposes.
Tactics and Techniques
Methods and strategies employed by threat actors to execute their attack, focusing on their actions, behaviors, and artifacts.
Encryption
Uses encryption to hide malicious content, making it harder for security systems to analyze and detect phishing attempts.
Evasion
Refers to any deliberate effort by threat actors to obfuscate, circumvent, or bypass detection methods to ensure their malicious activities remain undetected or undeterred.
Exploit
Abuses software vulnerabilities to gain unauthorized access or deliver malware to a target system.
Free email provider
Use of a free email provider like Gmail, capitalizing on the established reputation and ubiquity these services have in legitimate email traffic.
Free file host
Abuses free file hosting services to distribute harmful files, often bypassing traditional attachment based analysis.
Free subdomain host
Creates deceptive subdomains on free hosting platforms with established reputation to impersonate legitimate websites for phishing attacks.
HTML smuggling
Uses HTML5 features to smuggle malicious code across the network and onto a victim’s system, evading traditional network based detection.
Image as content
Evades traditional text based detection by putting the content of the message in an image. These images typically don’t execute code or contain scripting, but the images themselves can often be the linked element.
Impersonation: Brand
Involves mimicking well-known brands to deceive recipients and exploit the trust associated with those brands.
Impersonation: Employee
Poses as employees, managers, or internal contractors to capitalize on the recipient's trust and familiarity to manipulate or deceive them.
Impersonation: VIP
Poses as company VIPs to exploit the inherent trust and urgency associated with these roles, and instigate fraudulent financial transactions, manipulate internal processes, or convince employees to perform actions that undermine the security or integrity of the organization.
IPFS
Abuses IPFS (InterPlanetary File System) to host and distribute phishing content, evading traditional takedown methods.
ISO
Uses ISO image files to circumvent analysis and deliver malware.
LNK
Uses LNK files to discreetly execute malicious code.
Lookalike domain
Uses domains that closely resemble legitimate domains to deceive and mislead users.
Macros
Executes malicious code, typically in Microsoft Office documents, that can be weaponized by threat actors to serve as a delivery mechanism for malware or as a foothold into a system, capitalizing on user trust in familiar attachment types.
OneNote
Uses OneNote files to circumvent analysis and deliver malicious payloads or solicit credentials.
Open redirect
Exploits vulnerabilities in web applications that allow attackers to redirect users from a trusted site to a malicious site, often used for phishing or malware distribution.
Out of band pivot
Attempts to change communication medium (e.g. email → phone) to move to a less protected ecosystem.
Uses PDF files, often to deliver malware of embedded phishing links.
Punycode
Creates deceptive URLs with unicode strings, specifically those containing special or non-English characters. Punycode can be misused to craft visually similar URL's in phishing attacks to trick users into believing they are visiting a trusted website, when they are actually being directed to a malicious one.
QR code
Uses QR Codes to direct victims to malicious websites, often leading to data theft or malware installation.
Scripting
Employs scripts (e.g., JavaScript) to obfuscate attacks and make analysis more difficult.
Social engineering
Manipulates human psychology to trick individuals into revealing sensitive information, such as passwords or financial details.
Spoofing
Disguises communication from an unknown source as being from a known, trusted source, often to deceive recipients or systems.
Detection Methods
Highlights the technical methodologies and Sublime specialized techniques that recognized and flagged the threat, offering insights.
Archive analysis
Archive analysis involves examining the contents of compressed files or packages to detect, extract, and assess potential threats.
Computer Vision
Computer Vision examines images embedded in messages or websites to identify visual cues that may indicate malicious intent. This includes identifying logos of reputable companies used to deceive users, fake login pages, fraudulent payment screens, and more.
Content analysis
Content analysis refers to the scrutiny of a message's text to detect potential threats, suspicious behavior or malicious intent.
Exif analysis
Exif analysis refers to the scrutiny of metadata present across various file types, providing insights into attributes like authorship, timestamps, software versions, and more.
File analysis
File analysis deconstructs files into their smaller components for a thorough inspection. It involves recursive processing to extract and analyze all components and internal structures, allowing the identification of malicious scripts, suspicious executables, and hidden texts.
Header analysis
Header analysis examines message headers for irregularities or signs of phishing tactics.
HTML analysis
HTML analysis scans HTML code in web pages or attachments for malicious elements.
Javascript analysis
Javascript analysis examines Javascript (JS) code in message bodies, attachments, and linked pages for suspicious or known malicious elements, including basic scripts and unescaped sequences.
Macro analysis
Macro analysis detects macros, typically embedded in Microsoft Office documents, designed to execute malicious code as a delivery mechanism for malware or to establish a foothold on a system.
Natural Language Understanding
Natural Language Understanding (NLU) applies Machine Learning to analyze text-based content in messages. The extracted analysis, including Tone, Intents, Tags, and keyword recognition, can be used to identify and categorize language commonly used by threat actors.
OLE analysis
OLE (Object Linking and Embedding) analysis inspects objects in documents to identify malicious content.
Optical Character Recognition
Optical Character Recognition (OCR) extracts text from images, enabling analysis of scanned or image-based content.
QR code analysis
QR code analysis identifies the type of data — URL, text, or other data types — stored within the QR code.
Sender analysis
Sender analysis examines the sender’s details, such as domain, email address, frequency of contact, and other signals to inform decisions about the sender’s authenticity and relationship with the recipient.
Threat intelligence
Threat intelligence leverages data on known and emerging phishing threats. It can include information such as malicious URLs, domains, file hashes, IP addresses, and more.
URL analysis
URL analysis inspects and classifies links in message bodies or attachments. It covers various aspects such as body links, URLs, reputation, paths, and query parameters. LinkAnalysis, a type of URL analysis, submits suspicious URLs to a headless browser to resolve the effective URL and capture a screenshot for further analysis.
URL screenshot
Screenshots of linked web pages are visually inspected for phishing content or suspicious sites.
Whois
Domain registration information is retrieved from Whois databases to detect suspicious or newly created domains.
XML analysis
XML files are scanned for potential phishing elements, such as scripts or embedded URLs.
YARA
Messages are evaluated for matching YARA signatures. YARA is a pattern matching language used to identify known malware families or behavior based on regular expression and textual or binary patterns.