Using MQL to Stop Novel Email Phishing Attacks
Email phishing has evolved over the last half-decade, resulting in novel attacks that constantly bypass legacy phishing protection controls. Whereas scams once contained faulty grammar or visible signs of a phish, they have evolved to contain impeccable, clean-looking logos with references to a trusted brand or urgency to the recipient.
To handle the evolving nature of phishing threats, Message Query Language (MQL) was created to gain visibility into email attack patterns and give defenders control of their email environment.
An Intuitive Way to Customize and Share Detections
MQL is an open, domain-specific language that enables defenders to write their own tailored rules for attacks they’re seeing, modify any existing rules written by peers in the community and transparently understand why a message was flagged as suspicious.
Sublime Security introduced MQL last year to help users easily search and investigate emails for potential threats like phishing, business email compromise (BEC), malware and other malicious content. Defenders can specify email attributes like sender, recipient, subject line, content keywords, attachments and even email metadata.
MQL is powered by several Sublime Security platform features (Message Data Model, Syntax Overview, Functions, Lists and Interactive Editor). Any technical resource can write, share or use prewritten MQL rules, which are open source on GitHub.
Message Data Model
Standard email messages remain in archaic EML format, making them difficult to work with despite standards such as RFC5322. The majority of emails must still be analyzed in plain text format, which makes detection logic difficult.
Instead of handling raw text emails as is, Sublime built a platform that parses the format into a highly structured schema, the Message Data Model (MDM), specifically for detection. It no longer requires wrangling complex regular expressions limited to search headers or the body. The MDM separates attachments, body, headers, recipients and various other fields into a single document that is easily represented by JSON.
For example, the MDM can track whether hyperlinks have mismatched display versus target URLs or a specific hyperlinked top-level domain (TLD):
To make MQL simple to read and write, a straightforward syntax is used to enable easy customizations to detection logic. For example, here is a rule for flagging inbound messages that contain at least one PDF attachment over 10MB:
.file_type == "pdf" and .size > 10 * 1024 * 1024)
Dissecting the above query’s syntax:
- type.inbound: This retrieves the field from the MDM, type → inbound. This is only true on incoming messages to a mailbox.
- and: Boolean AND between two terms. MQL uses plain English words like “and” instead of symbols, like &&.
- any(attachments, …): Check if at least one attachment on the MDM matches some criteria. In MQL, there are several functions to check arrays, such as any, all, and distinct. In an array function, fields on a nested item are referenced with a preceding dot (.).
- . (dot): Access a nested item. The leading . indicates that a field is relative to a nested item, not root fields on the MDM.
- .file_type == “pdf”: Has a PDF file type.
- <.size > 10*1024*1024: Has a file size greater than 10 MiB. We can use arithmetic operations to perform calculations on the fly with MQL.
Functions support more sophisticated checks, such as substring searches, regex evaluation, domain age checks or inspection of links for credential phishing attempts.
The modified snippet of MQL below from a Callback phishing rule searches a ZIP file for images or PDFs, which are scanned for text with OCR. This rule performs Natural Language Understanding (NLU) to check if it contains text resembling a callback scam with high confidence. While it sounds complicated, it’s actually just a few lines of MQL:
and any(attachments, .file_extension == "zip"
file_extension in~ ("pdf", "jpg", "jpeg", "png")
.name == "callback_scam"
and .confidence == "high"
Lists are a collection of strings or items that can be accessed from any rule. Built-in lists are automatically maintained by the Sublime platform, providing immediate context globally or historically for your environment. For anything else, defenders can create and manage custom lists in your Dashboard or via API. For example, a rule that checks if a sender has never sent emails to your organization before could be written as:
sender.email.email not in $sender_emails
The MQL editor features an extensive set of features for all phases of detection engineering:
- Debugger to evaluate functions
- Diagnostics to recognize possible logical errors
- Errors, hints and warnings
- Function signature support
- Real-time analysis of.eml files
- Syntax highlighting
The editor also can attach to email files as EMLs for rapid iteration of rules. Check for the matching criteria to see the editor highlight the matching parts, indicating that they matched. If the rule resulted in a complete match, a Message flagged ✅ will show up. These rich features enable detection engineers to create robust rules with greater confidence, speed and precision.
Applying MQL to Detect QR Code Phishing Attacks
Through these components of MQL, defenders can tailor detection logic to their organization’s unique phishing threats that evade traditional controls. The recent uptick of QR code phishing — where a QR code sent in an email leads a recipient to a malicious website — evades traditional detection strategies that operate on plain email text. Attackers use trusted QR codes in phishing due to their prevalence in legitimate business uses like multifactor authentication, which has conditioned people to view them as benign.
Email detection rules powered by MQL are able to dissect multiple tactics in QR code phishes including:
- Identify an incoming QR code whether it’s embedded in the message body or in an attachment.
- Uncover the landing page destination, even if it’s disguised as a shortened URL.
- Locate the final destination URL in cases of multiple redirects.
Beyond the initial identification of a malicious QR code, the real power of MQL is performing a deeper inspection into what’s behind the URL, which gives insight into correlated attacks. In the post-detection rules below,
any(.files_downloaded, .file_extension in $file_extensions_common_archives or .file_extension in $file_extensions_executables) checks for what the QR code-triggered URL might attempt to download.
This rule would provide exact insight into techniques. Commonly abused archive types and specific malware executable files could correlate to TTP calling cards of specific bad actors.
Phishing continues to be the top attack vector as bad actors innovate with new techniques like malicious QR codes to bypass defenses. An open platform using easy-to-grasp MQL empowers defenders to customize Core Feed rules to their organization’s email patterns for more robust protection.