Suspicious attachment with unscannable Cloudflare link
A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority.
Sublime rule (View on GitHub)
1name: "Suspicious attachment with unscannable Cloudflare link"
2description: "A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in $file_extensions_macros
10 or .file_extension == "pdf"
11 or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
12 or .content_type in ("application/pdf")
13 )
14 and any(file.explode(.),
15 // few links
16 0 < length(.scan.url.urls) < 20
17 // fewer unique root domain links
18 and length(distinct(.scan.url.urls, .domain.root_domain)) < 10
19 // sender domain matches no body domains
20 and all(.scan.url.urls,
21 .domain.root_domain != sender.email.domain.root_domain
22 )
23 )
24 )
25
26 // negate bouncebacks and undeliverables
27 and not any(attachments,
28 .content_type in (
29 "message/global-delivery-status",
30 "message/delivery-status"
31 )
32 )
33
34 // suspicious subject or display name
35 and (
36 regex.icontains(subject.subject,
37 "termination.*notice",
38 "38417",
39 ":completed",
40 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
41 "[il][il][il]egai[ -]",
42 "[li][li][li]ega[li] attempt",
43 "[ng]-?[io]n .*block",
44 "[ng]-?[io]n .*cancel",
45 "[ng]-?[io]n .*deactiv",
46 "[ng]-?[io]n .*disabl",
47 "action.*required",
48 "abandon.*package",
49 "about.your.account",
50 "acc(ou)?n?t (is )?on ho[li]d",
51 "acc(ou)?n?t.*terminat",
52 "acc(oun)?t.*[il1]{2}mitation",
53 "access.*limitation",
54 "account (will be )?block",
55 "account.*de-?activat",
56 "account.*locked",
57 "account.*re-verification",
58 "account.*security",
59 "account.*suspension",
60 "account.has.been",
61 "account.has.expired",
62 "account.will.be.blocked",
63 "account v[il]o[li]at",
64 "activity.*acc(oun)?t",
65 "almost.full",
66 "app[li]e.[il]d",
67 "authenticate.*account",
68 "been.*suspend",
69 "clos.*of.*account.*processed",
70 "confirm.your.account",
71 "courier.*able",
72 "crediential.*notif",
73 "deactivation.*in.*progress",
74 "delivery.*attempt.*failed",
75 "document.received",
76 "documented.*shared.*with.*you",
77 "dropbox.*document",
78 "e-?ma[il1]+ .{010}suspen",
79 "e-?ma[il1]{1} user",
80 "e-?ma[il1]{2} acc",
81 "e-?ma[il1]{2}.*up.?grade",
82 "e.?ma[il1]{2}.*server",
83 "e.?ma[il1]{2}.*suspend",
84 "email.update",
85 "faxed you",
86 "fraud(ulent)?.*charge",
87 "from.helpdesk",
88 "fu[il1]{2}.*ma[il1]+[ -]?box",
89 "has.been.*suspended",
90 "has.been.limited",
91 "have.locked",
92 "he[li]p ?desk upgrade",
93 "heipdesk",
94 "i[il]iega[il]",
95 "ii[il]ega[il]",
96 "incoming e?mail",
97 "incoming.*fax",
98 "lock.*security",
99 "ma[il1]{1}[ -]?box.*quo",
100 "ma[il1]{2}[ -]?box.*fu[il1]",
101 "ma[il1]{2}box.*[il1]{2}mit",
102 "ma[il1]{2}box stor",
103 "mail on.?hold",
104 "mail.*box.*migration",
105 "mail.*de-?activat",
106 "mail.update.required",
107 "mails.*pending",
108 "messages.*pending",
109 "missed.*shipping.*notification",
110 "missed.shipment.notification",
111 "must.update.your.account",
112 "new [sl][io]g?[nig][ -]?in from",
113 "new voice ?-?mail",
114 "notifications.*pending",
115 "office.*3.*6.*5.*suspend",
116 "office365",
117 "on google docs with you",
118 "online doc",
119 "password.*compromised",
120 "periodic maintenance",
121 "potential(ly)? unauthorized",
122 "refund not approved",
123 "report",
124 "revised.*policy",
125 "scam",
126 "scanned.?invoice",
127 "secured?.update",
128 "security breach",
129 "securlty",
130 "signed.*delivery",
131 "statement is ready",
132 "status of your .{314}? ?delivery",
133 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
134 "suspicious.*sign.*[io]n",
135 "suspicious.activit",
136 "temporar(il)?y deactivate",
137 "temporar[il1]{2}y disab[li]ed",
138 "temporarily.*lock",
139 "un-?usua[li].activity",
140 "unable.*deliver",
141 "unauthorized.*activit",
142 "unauthorized.device",
143 "undelivered message",
144 "unread.*doc",
145 "unusual.activity",
146 "upgrade.*account",
147 "upgrade.notice",
148 "urgent message",
149 "urgent.verification",
150 "v[il1]o[li1]at[il1]on security",
151 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
152 "verification ?-?require",
153 "verification( )?-?need",
154 "verify.your?.account",
155 "web ?-?ma[il1]{2}",
156 "web[ -]?ma[il1]{2}",
157 "will.be.suspended",
158 "your (customer )?account .as",
159 "your.office.365",
160 "your.online.access"
161 )
162 or any($suspicious_subjects, strings.icontains(subject.subject, .))
163 or regex.icontains(sender.display_name,
164 "Admin",
165 "Administrator",
166 "Alert",
167 "Assistant",
168 "Billing",
169 "Benefits",
170 "Bonus",
171 "CEO",
172 "CFO",
173 "CIO",
174 "CTO",
175 "Chairman",
176 "Claim",
177 "Confirm",
178 "Critical",
179 "Customer Service",
180 "Deal",
181 "Discount",
182 "Director",
183 "Exclusive",
184 "Executive",
185 "Fax",
186 "Free",
187 "Gift",
188 "/bHR/b",
189 "Helpdesk",
190 "Human Resources",
191 "Immediate",
192 "Important",
193 "Info",
194 "Information",
195 "Invoice",
196 '\bIT\b',
197 "Legal",
198 "Lottery",
199 "Management",
200 "Manager",
201 "Member Services",
202 "Notification",
203 "Offer",
204 "Operations",
205 "Order",
206 "Partner",
207 "Payment",
208 "Payroll",
209 "President",
210 "Premium",
211 "Prize",
212 "Receipt",
213 "Refund",
214 "Registrar",
215 "Required",
216 "Reward",
217 "Sales",
218 "Secretary",
219 "Security",
220 "Service",
221 "Signature",
222 'SSA?\.gov',
223 "Storage",
224 "Support",
225 "Sweepstakes",
226 "System",
227 "Tax",
228 "Tech Support",
229 "Update",
230 "Upgrade",
231 "Urgent",
232 "Validate",
233 "Verify",
234 "VIP",
235 "Webmaster",
236 "Winner",
237 )
238 or any(attachments,
239 (
240 .file_extension in $file_extensions_macros
241 or .file_extension == "pdf"
242 or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
243 or .content_type in ("application/pdf")
244 )
245 and any(file.explode(.),
246 any(.scan.url.urls, strings.ends_with(.url, ".exe"))
247 or any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
248 )
249 )
250 )
251 and any(attachments,
252 (
253 .file_extension in $file_extensions_macros
254 or .file_extension == "pdf"
255 or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
256 or .content_type in ("application/pdf")
257 )
258 and any(file.explode(.),
259 any(.scan.url.urls,
260 (
261 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
262 "cloudflare"
263 )
264 // includes the turnstile CAPTCHA
265 or (
266 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
267 'https://challenges.cloudflare.com/turnstile/'
268 )
269 // has a short body length indicating the page is gated behind the turnstile instead
270 // of just including the turnstile
271 and length((
272 ml.link_analysis(., mode="aggressive").final_dom.display_text
273 )
274 ) < 200
275 )
276 )
277 and not (
278 ( // a Cloudflare error page
279 strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
280 "*error code*"
281 )
282 and any(ml.link_analysis(., mode="aggressive").final_dom.links,
283 strings.icontains(.href_url.query_params,
284 "utm_source=errorcode"
285 )
286 )
287 ) // a cookie warning mentioning Cloudflare
288 or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
289 "cookie.{0,50}Cloudflare"
290 )
291 or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
292 "marketbeat.com"
293 )
294 )
295 )
296 )
297 )
298
299 and (
300 not profile.by_sender().solicited
301 or (
302 profile.by_sender().any_messages_malicious_or_spam
303 and not profile.by_sender().any_false_positives
304 )
305 )
306
307 // negate highly trusted sender domains unless they fail DMARC authentication
308 and (
309 (
310 sender.email.domain.root_domain in $high_trust_sender_root_domains
311 and not headers.auth_summary.dmarc.pass
312 )
313 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
314 )
315 and not profile.by_sender().any_messages_benign
316
317tags:
318 - "Attack surface reduction"
319attack_types:
320 - "Credential Phishing"
321tactics_and_techniques:
322 - "Evasion"
323 - "PDF"
324 - "Social engineering"
325 - "Impersonation: Employee"
326 - "Impersonation: VIP"
327detection_methods:
328 - "File analysis"
329 - "URL analysis"
330 - "Sender analysis"
331 - "Content analysis"
332 - "Header analysis"
333 - "Natural Language Understanding"
334id: "00f92b6f-7449-5c93-ba29-b406c57bf121"