Link: Cryptocurrency fraud with suspicious links
Detects messages containing financial communications about cryptocurrency or bitcoin with links to suspicious domains, URL shorteners, newly registered domains, or domains with known cryptocurrency fraud indicators. The rule analyzes link behavior including redirects, specific abuse patterns, and JavaScript configurations commonly used in cryptocurrency scams. Excludes legitimate cryptocurrency platforms with proper authentication.
Sublime rule (View on GitHub)
1name: "Link: Cryptocurrency fraud with suspicious links"
2description: "Detects messages containing financial communications about cryptocurrency or bitcoin with links to suspicious domains, URL shorteners, newly registered domains, or domains with known cryptocurrency fraud indicators. The rule analyzes link behavior including redirects, specific abuse patterns, and JavaScript configurations commonly used in cryptocurrency scams. Excludes legitimate cryptocurrency platforms with proper authentication."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(ml.nlu_classifier(body.current_thread.text).topics,
8 .name in ("Financial Communications")
9 )
10 and strings.ilike(body.current_thread.text, "*cryptocurrency*", "*bitcoin*")
11 and not any(ml.nlu_classifier(body.current_thread.text).topics,
12 .name in (
13 'Advertising and Promotions',
14 'Newsletters and Digests',
15 'News and Current Events',
16 'Legal and Compliance'
17 )
18 )
19 and not any(ml.nlu_classifier(body.current_thread.text).intents,
20 .name == "benign" and .confidence == "high"
21 )
22 and any(body.links,
23 (
24 .href_url.domain.tld in $suspicious_tlds
25 or .href_url.domain.root_domain in $url_shorteners
26 or network.whois(.href_url.domain).days_old < 30
27 // 1 distinct link domain that's not the sender domain
28 or length(distinct(filter(body.links,
29 .href_url.domain.root_domain != sender.email.domain.root_domain
30 ),
31 .href_url.domain.root_domain
32 )
33 ) == 1
34 )
35 and (
36 any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
37 // known paths
38 strings.ilike(.path, "/payouts/img/*", "/img/coins/*")
39 // abused service to fetch coin prices
40 or .domain.domain == "api.coingecko.com"
41 // suspicious TLD that isn't the original link domain
42 or (
43 .domain.tld in $suspicious_tlds
44 and .domain.root_domain != ..href_url.domain.root_domain
45 )
46 )
47 or any(ml.link_analysis(., mode="aggressive").redirect_history,
48 // traversed a domain that is not the body link domain OR the effective domain
49 .domain.root_domain != ..href_url.domain.root_domain
50 and .domain.root_domain != ml.link_analysis(.,
51 mode="aggressive"
52 ).effective_url.domain.root_domain
53 )
54 // locate and extract the configuration on the page
55 or (
56 length(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
57 '//script/text()'
58 ).nodes
59 ) == 1
60 and any(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
61 '//script'
62 ).nodes,
63 any(file.explode(.),
64 length(filter(.scan.javascript.identifiers,
65 strings.ilike(., "pay*")
66 )
67 ) == 27
68 or any(.scan.javascript.strings,
69 strings.icontains(., "pay.php")
70 )
71 )
72 )
73 )
74 )
75 )
76 and not (
77 sender.email.domain.root_domain in (
78 "gemini.com",
79 "ledger.com",
80 "binance.com",
81 "trezor.io",
82 "kraken.com",
83 "solana.com",
84 "metamask.com",
85 "ethereum.org",
86 "bloomberg.com"
87 )
88 and headers.auth_summary.dmarc.pass
89 )
90
91
92attack_types:
93 - "BEC/Fraud"
94tactics_and_techniques:
95 - "Social engineering"
96 - "Evasion"
97 - "Free subdomain host"
98 - "Scripting"
99detection_methods:
100 - "Content analysis"
101 - "Header analysis"
102 - "Javascript analysis"
103 - "Natural Language Understanding"
104 - "Sender analysis"
105 - "URL analysis"
106 - "URL screenshot"
107 - "Whois"
108id: "d0da37ce-efa1-5a71-a14b-add6439822cc"