Suspicious Links to Cloudflare R2 and Edge Services

calendar Sep 20, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects links to Cloudflare R2 storage buckets, Pages, and Workers domains from unsolicited or previously malicious senders who are not on a trusted sender list or have failed DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Suspicious Links to Cloudflare R2 and Edge Services"
 2description: "Detects links to Cloudflare R2 storage buckets, Pages, and Workers domains from unsolicited or previously malicious senders who are not on a trusted sender list or have failed DMARC authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // Check root domain first 
 9          .href_url.domain.root_domain in ("r2.dev", "pages.dev", "workers.dev")
10          // Check the specific pub-{hex}.r2.dev subdomain pattern only for r2.dev
11  )
12  // negate emails with unsubscribe links
13  and not any(body.links,
14              strings.icontains(.href_url.url, "unsubscribe")
15              or strings.icontains(.display_text, "unsubscribe")
16  )
17  // negate bulk mailer domains
18  and not any(body.links,
19              .href_url.domain.root_domain in $bulk_mailer_url_root_domains
20  )
21  and not (
22    any(ml.nlu_classifier(body.current_thread.text).topics,
23        .name in (
24          "Newsletters and Digests",
25          "Advertising and Promotions",
26          "Educational and Research",
27          "B2B Cold Outreach",
28          "Health and Wellness",
29          "Professional and Career Development",
30          "Romance",
31          "Sexually Explicit Messages",
32          "Software and App Updates",
33          "Acts of Violence",
34          "Voicemail Call and Missed Call Notifications"
35        )
36        and .confidence == "high"
37    )
38  )
39  // negate highly trusted sender domains unless they fail DMARC authentication
40  and (
41    (
42      sender.email.domain.root_domain in $high_trust_sender_root_domains
43      and not headers.auth_summary.dmarc.pass
44    )
45    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46  )
47  and (
48    not profile.by_sender().solicited
49    or (
50      profile.by_sender().any_messages_malicious_or_spam
51      and not profile.by_sender().any_messages_benign
52    )
53  )
54  and not profile.by_sender().any_messages_benign  
55tags:
56 - "Attack surface reduction"
57attack_types:
58  - "BEC/Fraud"
59  - "Callback Phishing"
60  - "Credential Phishing"
61  - "Extortion"
62  - "Malware/Ransomware"
63  - "Spam"
64tactics_and_techniques:
65  - "Free file host"
66detection_methods:
67  - "Header analysis"
68  - "Sender analysis"
69  - "URL analysis"
70id: "5dd3e5c8-7c81-5e2f-8e2b-ef21ea77bf73"

Related rules

to-top