Suspicious attachment with unscannable Cloudflare link
A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority.
Sublime rule (View on GitHub)
1name: "Suspicious attachment with unscannable Cloudflare link"
2description: "A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in $file_extensions_macros
10 or .file_extension == "pdf"
11 or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
12 or .content_type in ("application/pdf")
13 )
14 and any(file.explode(.),
15 // few links
16 0 < length(.scan.url.urls) < 20
17 // fewer unique root domain links
18 and length(distinct(.scan.url.urls, .domain.root_domain)) < 10
19 // sender domain matches no body domains
20 and all(.scan.url.urls,
21 .domain.root_domain != sender.email.domain.root_domain
22 )
23 )
24 )
25
26 // negate bouncebacks and undeliverables
27 and not any(attachments,
28 .content_type in (
29 "message/global-delivery-status",
30 "message/delivery-status"
31 )
32 )
33
34 // suspicious subject or display name
35 and (
36 regex.icontains(subject.subject,
37 "termination.*notice",
38 "38417",
39 ":completed",
40 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
41 "[il][il][il]egai[ -]",
42 "[li][li][li]ega[li] attempt",
43 "[ng]-?[io]n .*block",
44 "[ng]-?[io]n .*cancel",
45 "[ng]-?[io]n .*deactiv",
46 "[ng]-?[io]n .*disabl",
47 "action.*required",
48 "abandon.*package",
49 "about.your.account",
50 "acc(ou)?n?t (is )?on ho[li]d",
51 "acc(ou)?n?t.*terminat",
52 "acc(oun)?t.*[il1]{2}mitation",
53 "access.*limitation",
54 "account (will be )?block",
55 "account.*de-?activat",
56 "account.*locked",
57 "account.*re-verification",
58 "account.*security",
59 "account.*suspension",
60 "account.has.been",
61 "account.has.expired",
62 "account.will.be.blocked",
63 "account v[il]o[li]at",
64 "activity.*acc(oun)?t",
65 "almost.full",
66 "app[li]e.[il]d",
67 "authenticate.*account",
68 "been.*suspend",
69 "clos.*of.*account.*processed",
70 "confirm.your.account",
71 "courier.*able",
72 "crediential.*notif",
73 "deactivation.*in.*progress",
74 "delivery.*attempt.*failed",
75 "document.received",
76 "documented.*shared.*with.*you",
77 "dropbox.*document",
78 "e-?ma[il1]+ .{010}suspen",
79 "e-?ma[il1]{1} user",
80 "e-?ma[il1]{2} acc",
81 "e-?ma[il1]{2}.*up.?grade",
82 "e.?ma[il1]{2}.*server",
83 "e.?ma[il1]{2}.*suspend",
84 "email.update",
85 "faxed you",
86 "fraud(ulent)?.*charge",
87 "from.helpdesk",
88 "fu[il1]{2}.*ma[il1]+[ -]?box",
89 "has.been.*suspended",
90 "has.been.limited",
91 "have.locked",
92 "he[li]p ?desk upgrade",
93 "heipdesk",
94 "i[il]iega[il]",
95 "ii[il]ega[il]",
96 "incoming e?mail",
97 "incoming.*fax",
98 "lock.*security",
99 "ma[il1]{1}[ -]?box.*quo",
100 "ma[il1]{2}[ -]?box.*fu[il1]",
101 "ma[il1]{2}box.*[il1]{2}mit",
102 "ma[il1]{2}box stor",
103 "mail on.?hold",
104 "mail.*box.*migration",
105 "mail.*de-?activat",
106 "mail.update.required",
107 "mails.*pending",
108 "messages.*pending",
109 "missed.*shipping.*notification",
110 "missed.shipment.notification",
111 "must.update.your.account",
112 "new [sl][io]g?[nig][ -]?in from",
113 "new voice ?-?mail",
114 "notifications.*pending",
115 "office.*3.*6.*5.*suspend",
116 "office365",
117 "on google docs with you",
118 "online doc",
119 "password.*compromised",
120 "periodic maintenance",
121 "potential(ly)? unauthorized",
122 "refund not approved",
123 "report",
124 "revised.*policy",
125 "scam",
126 "scanned.?invoice",
127 "secured?.update",
128 "security breach",
129 "securlty",
130 "signed.*delivery",
131 "statement is ready",
132 "status of your .{314}? ?delivery",
133 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
134 "suspicious.*sign.*[io]n",
135 "suspicious.activit",
136 "temporar(il)?y deactivate",
137 "temporar[il1]{2}y disab[li]ed",
138 "temporarily.*lock",
139 "un-?usua[li].activity",
140 "unable.*deliver",
141 "unauthorized.*activit",
142 "unauthorized.device",
143 "undelivered message",
144 "unread.*doc",
145 "unusual.activity",
146 "upgrade.*account",
147 "upgrade.notice",
148 "urgent message",
149 "urgent.verification",
150 "v[il1]o[li1]at[il1]on security",
151 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
152 "verification ?-?require",
153 "verification( )?-?need",
154 "verify.your?.account",
155 "web ?-?ma[il1]{2}",
156 "web[ -]?ma[il1]{2}",
157 "will.be.suspended",
158 "your (customer )?account .as",
159 "your.office.365",
160 "your.online.access"
161 )
162 or any($suspicious_subjects, strings.icontains(subject.subject, .))
163 or regex.icontains(sender.display_name,
164 "Admin",
165 "Administrator",
166 "Alert",
167 "Assistant",
168 "Billing",
169 "Benefits",
170 "Bonus",
171 "CEO",
172 "CFO",
173 "CIO",
174 "CTO",
175 "Chairman",
176 "Claim",
177 "Confirm",
178 "Critical",
179 "Customer Service",
180 "Deal",
181 "Discount",
182 "Director",
183 "Exclusive",
184 "Executive",
185 "Fax",
186 "Free",
187 "Gift",
188 "/bHR/b",
189 "Helpdesk",
190 "Human Resources",
191 "Immediate",
192 "Important",
193 "Info",
194 "Information",
195 "Invoice",
196 '\bIT\b',
197 "Legal",
198 "Lottery",
199 "Management",
200 "Manager",
201 "Member Services",
202 "Notification",
203 "Offer",
204 "Operations",
205 "Order",
206 "Partner",
207 "Payment",
208 "Payroll",
209 "President",
210 "Premium",
211 "Prize",
212 "Receipt",
213 "Refund",
214 "Registrar",
215 "Required",
216 "Reward",
217 "Sales",
218 "Secretary",
219 "Security",
220 "Service",
221 "Signature",
222 'SSA?\.gov',
223 "Storage",
224 "Support",
225 "Sweepstakes",
226 "System",
227 "Tax",
228 "Tech Support",
229 "Update",
230 "Upgrade",
231 "Urgent",
232 "Validate",
233 "Verify",
234 "VIP",
235 "Webmaster",
236 "Winner",
237 )
238 or any(attachments,
239 (
240 .file_extension in $file_extensions_macros
241 or .file_extension == "pdf"
242 or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
243 or .content_type in ("application/pdf")
244 )
245 and any(file.explode(.),
246 any(.scan.url.urls, strings.ends_with(.url, ".exe"))
247 or any(ml.nlu_classifier(.scan.ocr.raw).intents,
248 .name == "cred_theft"
249 )
250 )
251 )
252 )
253 and any(attachments,
254 (
255 .file_extension in $file_extensions_macros
256 or .file_extension == "pdf"
257 or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
258 or .content_type in ("application/pdf")
259 )
260 and any(file.explode(.),
261 any(.scan.url.urls,
262 (
263 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
264 "cloudflare"
265 )
266 // includes the turnstile CAPTCHA
267 or (
268 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
269 'https://challenges.cloudflare.com/turnstile/'
270 )
271 // has a short body length indicating the page is gated behind the turnstile instead
272 // of just including the turnstile
273 and length((
274 ml.link_analysis(., mode="aggressive").final_dom.display_text
275 )
276 ) < 200
277 )
278 )
279 and not (
280 ( // a Cloudflare error page
281 strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
282 "*error code*"
283 )
284 and any(ml.link_analysis(., mode="aggressive").final_dom.links,
285 strings.icontains(.href_url.query_params,
286 "utm_source=errorcode"
287 )
288 )
289 ) // a cookie warning mentioning Cloudflare
290 or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
291 "cookie.{0,50}Cloudflare"
292 )
293 or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
294 "marketbeat.com"
295 )
296 )
297 )
298 )
299 )
300 and (
301 not profile.by_sender().solicited
302 or (
303 profile.by_sender().any_messages_malicious_or_spam
304 and not profile.by_sender().any_messages_benign
305 )
306 )
307
308 // negate highly trusted sender domains unless they fail DMARC authentication
309 and (
310 (
311 sender.email.domain.root_domain in $high_trust_sender_root_domains
312 and not headers.auth_summary.dmarc.pass
313 )
314 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
315 )
316 and not profile.by_sender().any_messages_benign
317tags:
318 - "Attack surface reduction"
319attack_types:
320 - "Credential Phishing"
321tactics_and_techniques:
322 - "Evasion"
323 - "PDF"
324 - "Social engineering"
325 - "Impersonation: Employee"
326 - "Impersonation: VIP"
327detection_methods:
328 - "File analysis"
329 - "URL analysis"
330 - "Sender analysis"
331 - "Content analysis"
332 - "Header analysis"
333 - "Natural Language Understanding"
334id: "00f92b6f-7449-5c93-ba29-b406c57bf121"