MQL is highly extensible and can integrate virtually any tool or service to build better detection rules.
Request a function!
Don't see a function you want? Let us know via email or Slack!
beta.binexplode(input: Attachment) -> [BinExplodeOutput]
BinExplode uses Strelka, a file extraction and metadata collection system developed by Target.
Strelka uses a variety of scanners to parse files of a specific flavor and performs data collection and/or file extraction on them. Strelka can recursively extract nested files (like a Word doc within a Zip file), identify malicious scripts, suspicious executables and text, run analysis like OCR and Macro detection, and more. For more information on how Strelka works, see the official Strelka documentation.
- YARA support
- External API integrations, like VirusTotal
- Analyze binaries from external URLs, like Google Drive and drive-by downloads
beta.oletools(input: Attachment) -> OleToolsOutput
beta.oletools to analyze attachments for malware or suspicious indicators like VBA macros, remote OLE objects, encryption, and more.
// detect suspicious macros any(attachments, beta.oletools(.).indicators.vba_macros.exists) any(attachments, beta.oletools(.).indicators.vba_macros.risk == "high") // detect potential attempts to exploit CVE-2021-40444 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) any(attachments, any(beta.oletools(.).relationships, iregex_search(.target, ".*html:http.*"))) // detect external OLE object relationships any(attachments, beta.oletools(.).indicators.external_relationships.count > 0) // detect encrypted Office documents any(attachments, beta.oletools(.).indicators.encryption.exists) // detect macros that attempt to auto-execute when the document is opened any(attachments, any(beta.oletools(.).macros.keywords, .type == "autoexec")) // detect suspicious macro source code any(attachments, iregex_search(beta.oletools(.).macros.vba_code_all_modules, ".*kernel32.*", ".*GetProcessId.*"))
beta.ml_macro_classifier(input: File) → MLMacrosOutput
The Sublime Macro Classifier introduces machine learning in MQL to detect malicious VBA macro attachments. Combining ML and MQL allows users to combine the model output with custom detection logic to surface what matters most while reducing the noise commonly associated with black-box ML approaches.
beta.ml_macro_classifier to detect suspicious VBA macro attachments.
// detect malicious VBA macros in Office documents, high confidence any(attachments, .file_extension in~ ("doc", "docm", "docx", "dot", "dotm", "pptm", "ppsm", "xlm", "xls", "xlsb", "xlsm", "xlt", "xltm", "zip") and beta.ml_macro_classifier(.).malicious and beta.ml_macro_classifier(.).confidence in ("high") ) // detect malicious VBA macros in Office documents, low or medium confidence any(attachments, .file_extension in~ ("doc", "docm", "docx", "dot", "dotm", "pptm", "ppsm", "xlm", "xls", "xlsb", "xlsm", "xlt", "xltm", "zip") and beta.ml_macro_classifier(.).malicious and beta.ml_macro_classifier(.).confidence in ("low", "medium") )
beta.linkanalysis(input: Link) → LinkAnalysisOutput
LinkAnalysis analyzes a link and classifies them as benign or suspicious. The service sends suspicious URLs to a headless browser which resolves the effective URL and collects a screenshot. The screenshot is sent to an object detection model to detect brand logos, buttons, and input forms. We chose Phishpedia, an Open Source object detection project as our baseline model architecture.
If any logos are detected, those logos are cropped from the original screenshot and compared to a set of protected brand logos commonly used in credential phishing attacks. Discovered brands are available to MQL, along with summary information about login input boxes or captchas in the screenshot.
// detect links to credential phishing pages any(body.links, all([beta.linkanalysis(.)], .credphish.disposition == "phishing" and .credphish.brand.confidence in ("medium", "high") ) ) // detect free subdomain links with a login or captcha any(body.links, all([beta.linkanalysis(.)], ( .credphish.contains_login or .credphish.contains_captcha ) and ( .effective_url.domain.root_domain in $free_subdomain_hosts or .original_url.domain.root_domain in $free_subdomain_hosts )) )
Natural Language Understanding, or NLU, provides users with a machine learning service to analyze text-based content. The service has two primary capabilities:
- Email Classification
- Named Entity Recognition
The Email Classification component takes a body of text as input and provides Intent and/or Content tags.
Intents are top-level categories describing common language attackers use to carry out phishing attacks.
|Emails containing urgent language about quick tasks from C-suite, HR, and Accounting Depts.|
|Emails containing language about renewing/purchasing services such as tech support, antivirus, or cryptocurrency.|
|Emails contain language urging users to visit a link leading to a realistic-looking portal that requires their credentials to log in.|
|Emails meant to intimidate victims with threats of blackmail.|
|Emails requesting updates to billing information, personal identification, and tax returns.|
Content tags are subcategories that provide additional context for financial-themed phishing attacks. The service returns the following values:
|These emails contain language about viewing invoices via links or attachments.|
|These emails contain language about ACH, EFT, or Wire payments.|
|These emails contain language about Purchase Orders, Requests for Quotation.|
type.inbound and any([body.plain.raw, body.html.inner_text], any(beta.ml_nlu_classifier(.).intents, .name == "bec" and .confidence == "high") ) ) // first-time sender and ( ( sender.email.domain.root_domain in $free_email_providers and sender.email.email not in $sender_emails ) or ( sender.email.domain.root_domain not in $free_email_providers and sender.email.domain.domain not in $sender_domains ) )
Named Entity Recognition (NER) identifies, tags, and extracts important keywords within a body of text. Users can leverage this output to determine if an email contains language commonly associated with urgency, requests, or financial matters. The available entities are listed below:
|Token(s) that aid in the identification of the recipient||hello, dear|
|Token(s) containing financial details such as payments, bank accounts, or real estate transactions||wire, bank details, ACH payment|
|Token(s) containing an organization name||Google, Microsoft|
|Token(s) representing the recipient of the email. Either a name or a generic designator.||Jane Doe, all|
|Token(s) asking the recipient to act on behalf of the sender||"I need you to", "please open"|
|Token(s) signifying the end of the correspondence, aids in the identification of the sender||thanks, regards|
|Token(s) representing the sender of an email. Either a name or a generic designator.||Ms. Tyrell, IT Department|
|Token(s) containing language meant to urge recipient to act immediately||ASAP, immediately|
type.inbound and sender.display_name in~ $org_display_names and any([body.plain.raw, body.html.inner_text], any(beta.ml_nlu_classifier(.).entities, .name == "urgency" and .name == "request") ) // first-time sender and ( ( sender.email.domain.root_domain in $free_email_providers and sender.email.email not in $sender_emails ) or ( sender.email.domain.root_domain not in $free_email_providers and sender.email.domain.domain not in $sender_domains ) )
It is important to remember that the NLU engine only looks at text. Because of this, it needs additional context to be an adequate detector. For example, attackers may craft an email that looks the same as a password reset for your favorite social network. The NLU engine would classify the text as
cred_theft, but it would also do the same for a legitimate password reset email. But pairing it with a First-Time/Unsolicited Sender or LinkAnalysis provides the necessary context to make an effective detector.
Updated 1 day ago