Link: chatbot.page platform abuse
Detects abuse of chatbot.page where configurations suggest malicious intent, including incomplete contact information, free-tier usage, and suspicious question content.
Sublime rule (View on GitHub)
1name: "Link: chatbot.page platform abuse"
2description: "Detects abuse of chatbot.page where configurations suggest malicious intent, including incomplete contact information, free-tier usage, and suspicious question content."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(filter(body.links, .href_url.domain.domain == "chatbot.page")) == 1
8 and any(body.links,
9 .href_url.domain.domain == "chatbot.page"
10 // pull out the <script> block that contains the JSON
11 and (
12 any(html.xpath(ml.link_analysis(.).final_dom,
13 '//script[contains(text(), "window.form")]'
14 ).nodes,
15 // parse out the JSON
16 any(regex.extract(.raw, 'window.form = (?P<json>{.*})'),
17 // user didn't fill out any contact info, indicative of abuse
18 // a legitimate business would complete this information
19 strings.parse_json(.named_groups['json'])['emailSignature']['name'] == 'John Doe'
20 // a legitimate business would likely not be on the free plan
21 or strings.parse_json(.named_groups['json'])['config']['userPlan'] == 'free'
22 or (
23 // only 1 question
24 length(strings.parse_json(.named_groups['json'])['questions']
25 ) == 1
26 // pull out the link(s) in the question
27 and any(strings.parse_json(.named_groups['json'])['questions'],
28 any(.['links'],
29 // NLU on link display text
30 any(ml.nlu_classifier(.['text']).intents,
31 .name == "cred_theft"
32 )
33 // LA on the link itself
34 or ml.link_analysis(strings.parse_url(.['value']
35 ),
36 mode="aggressive"
37 ).credphish.disposition == "phishing"
38 )
39 )
40 )
41 )
42 )
43 or strings.icontains(ml.link_analysis(.).final_dom.display_text,
44 "This chatbot has been blocked by the administrator"
45 )
46 )
47 )
48attack_types:
49 - "Credential Phishing"
50tactics_and_techniques:
51 - "Social engineering"
52 - "Out of band pivot"
53detection_methods:
54 - "URL analysis"
55 - "Natural Language Understanding"
56 - "Content analysis"
57 - "HTML analysis"
58 - "Javascript analysis"
59 - "URL screenshot"
60id: "bfd6a076-2c63-59ae-95b6-2bb837c4bea2"