Link: chatbot.page platform abuse

Detects abuse of chatbot.page where configurations suggest malicious intent, including incomplete contact information, free-tier usage, and suspicious question content.

Sublime rule (View on GitHub)

 1name: "Link: chatbot.page platform abuse"
 2description: "Detects abuse of chatbot.page where configurations suggest malicious intent, including incomplete contact information, free-tier usage, and suspicious question content."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(filter(body.links, .href_url.domain.domain == "chatbot.page")) == 1
 8  and any(body.links,
 9          .href_url.domain.domain == "chatbot.page"
10          // pull out the <script> block that contains the JSON
11          and (
12            any(html.xpath(ml.link_analysis(.).final_dom,
13                           '//script[contains(text(), "window.form")]'
14                ).nodes,
15                // parse out the JSON
16                any(regex.extract(.raw, 'window.form = (?P<json>{.*})'),
17                    // user didn't fill out any contact info, indicative of abuse
18                    // a legitimate business would complete this information
19                    strings.parse_json(.named_groups['json'])['emailSignature']['name'] == 'John Doe'
20                    // a legitimate business would likely not be on the free plan
21                    or strings.parse_json(.named_groups['json'])['config']['userPlan'] == 'free'
22                    or (
23                      // only 1 question
24                      length(strings.parse_json(.named_groups['json'])['questions']
25                      ) == 1
26                      // pull out the link(s) in the question
27                      and any(strings.parse_json(.named_groups['json'])['questions'],
28                              any(.['links'],
29                                  // NLU on link display text
30                                  any(ml.nlu_classifier(.['text']).intents,
31                                      .name == "cred_theft"
32                                  )
33                                  // LA on the link itself
34                                  or ml.link_analysis(strings.parse_url(.['value']
35                                                      ),
36                                                      mode="aggressive"
37                                  ).credphish.disposition == "phishing"
38                              )
39                      )
40                    )
41                )
42            )
43            or strings.icontains(ml.link_analysis(.).final_dom.display_text,
44                                 "This chatbot has been blocked by the administrator"
45            )
46          )
47  )  
48attack_types:
49  - "Credential Phishing"
50tactics_and_techniques:
51  - "Social engineering"
52  - "Out of band pivot"
53detection_methods:
54  - "URL analysis"
55  - "Natural Language Understanding"
56  - "Content analysis"
57  - "HTML analysis"
58  - "Javascript analysis"
59  - "URL screenshot"
60id: "bfd6a076-2c63-59ae-95b6-2bb837c4bea2"
to-top