Attachment: PDF with multistage landing - ClickUp abuse
Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with multistage landing - ClickUp abuse"
2description: "Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 1
8 and any(attachments,
9 .file_type == "pdf"
10 and any(file.explode(.),
11 .depth == 0
12 and length(.scan.url.urls) == 1
13 and any(.scan.url.urls,
14 .domain.domain == "doc.clickup.com"
15 and (
16 // landing page has been removed
17 strings.istarts_with(ml.link_analysis(.).final_dom.display_text,
18 'This page is currently unavailable'
19 )
20 // inspection of links within the doc.clickup.com
21 or any(filter(ml.link_analysis(.).final_dom.links,
22 .href_url.domain.root_domain != 'clickup.com'
23 and .href_url.domain.root_domain not in $org_domains
24 ),
25 (
26 // any of those links domains are new
27 network.whois(.href_url.domain).days_old < 30
28 // go to free file hosts
29 or .href_url.domain.root_domain in $free_file_hosts
30 or .href_url.domain.domain in $free_file_hosts
31
32 // go to free subdomains hosts
33 or (
34 .href_url.domain.root_domain in $free_subdomain_hosts
35 // where there is a subdomain
36 and .href_url.domain.subdomain is not null
37 and .href_url.domain.subdomain != "www"
38 )
39 // go to url shortners
40 or .href_url.domain.root_domain in $url_shorteners
41 or .href_url.domain.root_domain in $social_landing_hosts
42 or .href_url.domain.domain in $url_shorteners
43 or .href_url.domain.domain in $social_landing_hosts
44 // or the page has been taken down
45 or (
46 // find any links that mention common "action" words
47 regex.icontains(.display_text,
48 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
49 )
50 and (
51 // and when visiting those links, are phishing
52 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
53
54 // hit a captcha page
55 or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
56
57 // or the page redirects to common website, observed when evasion happens
58 or (
59 length(ml.link_analysis(.,
60 mode="aggressive"
61 ).redirect_history
62 ) > 0
63 and ml.link_analysis(.,
64 mode="aggressive"
65 ).effective_url.domain.root_domain in $tranco_10k
66 )
67 )
68 )
69 )
70 )
71 )
72 )
73 )
74 )
75
76attack_types:
77 - "Credential Phishing"
78tactics_and_techniques:
79 - "Evasion"
80 - "Free file host"
81 - "Free subdomain host"
82 - "PDF"
83 - "Social engineering"
84detection_methods:
85 - "File analysis"
86 - "URL analysis"
87 - "Whois"
88id: "0dc40316-03b6-55a2-a5fe-81592ccf5ffb"