From b248829b8d7e5e692c71a83e85841d1f0ecbcef0 Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Thu, 7 May 2026 17:35:58 -0400 Subject: [PATCH 1/6] Create body_self_sender_bold.yml --- detection-rules/body_self_sender_bold.yml | 28 +++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 detection-rules/body_self_sender_bold.yml diff --git a/detection-rules/body_self_sender_bold.yml b/detection-rules/body_self_sender_bold.yml new file mode 100644 index 00000000000..1f301a5ad8e --- /dev/null +++ b/detection-rules/body_self_sender_bold.yml @@ -0,0 +1,28 @@ +name: "Self-impersonation: Sender matches recipient with bolded name and suspicious link" +description: "Detects messages where the sender's email address matches the recipient's email address, with the sender's display name appearing in bold text and a suspicious 'Read the Message' link present in the body." +type: "rule" +severity: "medium" +source: | + type.inbound + // sender matches recipients + and ( + length(recipients.to) == 1 + and recipients.to[0].email.email == sender.email.email + ) + // sender in current thread BOLD + and any(html.xpath(body.html, '//b').nodes, + .display_text == sender.display_name + ) + and any(html.xpath(body.html, '//a/b').nodes, + .display_text == "Read the Message" + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Header analysis" + - "HTML analysis" + - "Sender analysis" From 5978af44b837d952c125f64395a47f8071a19c2c Mon Sep 17 00:00:00 2001 From: CI Bot Date: Thu, 7 May 2026 21:41:31 +0000 Subject: [PATCH 2/6] Auto-format MQL and add rule IDs --- detection-rules/body_self_sender_bold.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detection-rules/body_self_sender_bold.yml b/detection-rules/body_self_sender_bold.yml index 1f301a5ad8e..b21f4676e8c 100644 --- a/detection-rules/body_self_sender_bold.yml +++ b/detection-rules/body_self_sender_bold.yml @@ -11,12 +11,11 @@ source: | ) // sender in current thread BOLD and any(html.xpath(body.html, '//b').nodes, - .display_text == sender.display_name + .display_text == sender.display_name ) and any(html.xpath(body.html, '//a/b').nodes, - .display_text == "Read the Message" + .display_text == "Read the Message" ) - attack_types: - "Credential Phishing" tactics_and_techniques: @@ -26,3 +25,4 @@ detection_methods: - "Header analysis" - "HTML analysis" - "Sender analysis" +id: "0129a805-2fe2-5a40-81bc-b3459085aa23" From d91299d289dff607e176a0da7080a26f31f3c8ee Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Fri, 15 May 2026 14:40:13 -0400 Subject: [PATCH 3/6] Update body_self_sender_bold.yml --- detection-rules/body_self_sender_bold.yml | 32 +++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/detection-rules/body_self_sender_bold.yml b/detection-rules/body_self_sender_bold.yml index b21f4676e8c..97b18786869 100644 --- a/detection-rules/body_self_sender_bold.yml +++ b/detection-rules/body_self_sender_bold.yml @@ -13,8 +13,36 @@ source: | and any(html.xpath(body.html, '//b').nodes, .display_text == sender.display_name ) - and any(html.xpath(body.html, '//a/b').nodes, - .display_text == "Read the Message" + and length(html.xpath(body.html, '//a/b').nodes) == 1 + and strings.parse_url(html.xpath(body.html, '//a/b').nodes[0].display_text, + strict=false + ).url is null + and any(html.xpath(body.html, '//a/b').nodes, + .display_text in~ ( + "Read the Message", + "OPEN", + "Open in drive", + "Open document here", + "open document", + "open documents", + 'view document', + 'view documents', + 'access document', + 'access documents', + 'review documents', + 'review document', + // 501e5fe43fa30ccdca9469ab545a6639c9a60952b882823fa1663004de7b4df0 + 'view payment details' + ) + or strings.icontains(.display_text, "Download") + or strings.icontains(.display_text, "Review Here") + or strings.iends_with(.display_text, ".pdf") + // 504788258b421818209543b506f4bbe7cf6615f596726c80b0775870c8764b64 + or strings.iends_with(.display_text, ".html") + // displaytext == subject + // https://platform.sublime.security/messages/504db0811037ff63d49b62e683f3a8a0e4d8284158163708c3630ceec556aa47?preview_id=019d8d5c-f2c7-7d46-8697-f6f4632fdf24 + or .display_text == subject.base + or any(.links, .href_url.domain.domain in $free_file_hosts) ) attack_types: - "Credential Phishing" From cea5de68f1a6372400f4677c0a89bb0e1fff4f44 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 15 May 2026 18:41:25 +0000 Subject: [PATCH 4/6] Auto-format MQL and add rule IDs --- detection-rules/body_self_sender_bold.yml | 52 +++++++++++------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/detection-rules/body_self_sender_bold.yml b/detection-rules/body_self_sender_bold.yml index 97b18786869..48104629478 100644 --- a/detection-rules/body_self_sender_bold.yml +++ b/detection-rules/body_self_sender_bold.yml @@ -17,32 +17,32 @@ source: | and strings.parse_url(html.xpath(body.html, '//a/b').nodes[0].display_text, strict=false ).url is null - and any(html.xpath(body.html, '//a/b').nodes, - .display_text in~ ( - "Read the Message", - "OPEN", - "Open in drive", - "Open document here", - "open document", - "open documents", - 'view document', - 'view documents', - 'access document', - 'access documents', - 'review documents', - 'review document', - // 501e5fe43fa30ccdca9469ab545a6639c9a60952b882823fa1663004de7b4df0 - 'view payment details' - ) - or strings.icontains(.display_text, "Download") - or strings.icontains(.display_text, "Review Here") - or strings.iends_with(.display_text, ".pdf") - // 504788258b421818209543b506f4bbe7cf6615f596726c80b0775870c8764b64 - or strings.iends_with(.display_text, ".html") - // displaytext == subject - // https://platform.sublime.security/messages/504db0811037ff63d49b62e683f3a8a0e4d8284158163708c3630ceec556aa47?preview_id=019d8d5c-f2c7-7d46-8697-f6f4632fdf24 - or .display_text == subject.base - or any(.links, .href_url.domain.domain in $free_file_hosts) + and any(html.xpath(body.html, '//a/b').nodes, + .display_text in~ ( + "Read the Message", + "OPEN", + "Open in drive", + "Open document here", + "open document", + "open documents", + 'view document', + 'view documents', + 'access document', + 'access documents', + 'review documents', + 'review document', + // 501e5fe43fa30ccdca9469ab545a6639c9a60952b882823fa1663004de7b4df0 + 'view payment details' + ) + or strings.icontains(.display_text, "Download") + or strings.icontains(.display_text, "Review Here") + or strings.iends_with(.display_text, ".pdf") + // 504788258b421818209543b506f4bbe7cf6615f596726c80b0775870c8764b64 + or strings.iends_with(.display_text, ".html") + // displaytext == subject + // https://platform.sublime.security/messages/504db0811037ff63d49b62e683f3a8a0e4d8284158163708c3630ceec556aa47?preview_id=019d8d5c-f2c7-7d46-8697-f6f4632fdf24 + or .display_text == subject.base + or any(.links, .href_url.domain.domain in $free_file_hosts) ) attack_types: - "Credential Phishing" From e57ee0162a960f187dcd322b9445f72e251d8a66 Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Fri, 29 May 2026 11:43:04 -0400 Subject: [PATCH 5/6] Update body_self_sender_bold.yml Reverting logic a bit - narrowing it down to remove FPs. Hunt: https://platform.sublime.security/messages/hunt?huntId=019e73c5-efe2-7c30-9217-9c75f1e11e64 multi-hunt: https://hunt.limeseed.email/hunts/c91f5cf8-02a0-4737-8308-18a260f3af92 --- detection-rules/body_self_sender_bold.yml | 37 +++++------------------ 1 file changed, 7 insertions(+), 30 deletions(-) diff --git a/detection-rules/body_self_sender_bold.yml b/detection-rules/body_self_sender_bold.yml index 48104629478..02680970989 100644 --- a/detection-rules/body_self_sender_bold.yml +++ b/detection-rules/body_self_sender_bold.yml @@ -11,38 +11,15 @@ source: | ) // sender in current thread BOLD and any(html.xpath(body.html, '//b').nodes, - .display_text == sender.display_name + .display_text == sender.display_name ) - and length(html.xpath(body.html, '//a/b').nodes) == 1 - and strings.parse_url(html.xpath(body.html, '//a/b').nodes[0].display_text, - strict=false - ).url is null - and any(html.xpath(body.html, '//a/b').nodes, - .display_text in~ ( - "Read the Message", - "OPEN", - "Open in drive", - "Open document here", - "open document", - "open documents", - 'view document', - 'view documents', - 'access document', - 'access documents', - 'review documents', - 'review document', - // 501e5fe43fa30ccdca9469ab545a6639c9a60952b882823fa1663004de7b4df0 - 'view payment details' + // we want the dashed html element to contain a link, and that link to include part of the subject (the subject is the org) + and any(html.xpath(body.html, '//table//td[contains(@style, "border-style: dashed") and contains(@style, "border-width: 1pt")]//a[./b]').nodes, + any(regex.extract(subject.base, '(?P\w+)'), + any(..links, + strings.icontains(.href_url.url, ..named_groups["word"]) ) - or strings.icontains(.display_text, "Download") - or strings.icontains(.display_text, "Review Here") - or strings.iends_with(.display_text, ".pdf") - // 504788258b421818209543b506f4bbe7cf6615f596726c80b0775870c8764b64 - or strings.iends_with(.display_text, ".html") - // displaytext == subject - // https://platform.sublime.security/messages/504db0811037ff63d49b62e683f3a8a0e4d8284158163708c3630ceec556aa47?preview_id=019d8d5c-f2c7-7d46-8697-f6f4632fdf24 - or .display_text == subject.base - or any(.links, .href_url.domain.domain in $free_file_hosts) + ) ) attack_types: - "Credential Phishing" From 691da4c8eae400d3f6320a065217155ef28b2b1c Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 29 May 2026 15:44:21 +0000 Subject: [PATCH 6/6] Auto-format MQL and add rule IDs --- detection-rules/body_self_sender_bold.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/detection-rules/body_self_sender_bold.yml b/detection-rules/body_self_sender_bold.yml index 02680970989..336bd5524ce 100644 --- a/detection-rules/body_self_sender_bold.yml +++ b/detection-rules/body_self_sender_bold.yml @@ -11,15 +11,17 @@ source: | ) // sender in current thread BOLD and any(html.xpath(body.html, '//b').nodes, - .display_text == sender.display_name + .display_text == sender.display_name ) - // we want the dashed html element to contain a link, and that link to include part of the subject (the subject is the org) - and any(html.xpath(body.html, '//table//td[contains(@style, "border-style: dashed") and contains(@style, "border-width: 1pt")]//a[./b]').nodes, - any(regex.extract(subject.base, '(?P\w+)'), - any(..links, - strings.icontains(.href_url.url, ..named_groups["word"]) + // we want the dashed html element to contain a link, and that link to include part of the subject (the subject is the org) + and any(html.xpath(body.html, + '//table//td[contains(@style, "border-style: dashed") and contains(@style, "border-width: 1pt")]//a[./b]' + ).nodes, + any(regex.extract(subject.base, '(?P\w+)'), + any(..links, + strings.icontains(.href_url.url, ..named_groups["word"]) + ) ) - ) ) attack_types: - "Credential Phishing"