Link: Multistage landing - ClickUp abuse

calendar Feb 27, 2026  ·
Share on: linkedin copy

Detects ClickUp documents that contain external links to suspicious domains including new domains, free file hosts, URL shorteners, or links that redirect to phishing pages or contain captchas.

Sublime rule (View on GitHub)

 1name: "Link: Multistage landing - ClickUp abuse"
 2description: "Detects ClickUp documents that contain external links to suspicious domains including new domains, free file hosts, URL shorteners, or links that redirect to phishing pages or contain captchas."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          .href_url.domain.domain == "doc.clickup.com"
 9          and (
10            // landing page has been removed
11            strings.istarts_with(ml.link_analysis(.).final_dom.display_text,
12                                 'This page is currently unavailable'
13            )
14            // inspection of links within the doc.clickup.com
15            or any(filter(ml.link_analysis(.).final_dom.links,
16                          .href_url.domain.root_domain != 'clickup.com'
17                          and .href_url.domain.root_domain not in $org_domains
18                   ),
19                   (
20                     // any of those links domains are new
21                     network.whois(.href_url.domain).days_old < 30
22                     // go to free file hosts
23                     or .href_url.domain.root_domain in $free_file_hosts
24                     or .href_url.domain.domain in $free_file_hosts
25  
26                     // go to free subdomains hosts
27                     or (
28                       .href_url.domain.root_domain in $free_subdomain_hosts
29                       // where there is a subdomain
30                       and .href_url.domain.subdomain is not null
31                       and .href_url.domain.subdomain != "www"
32                     )
33                     // go to url shorteners
34                     or .href_url.domain.root_domain in $url_shorteners
35                     or .href_url.domain.root_domain in $social_landing_hosts
36                     or .href_url.domain.domain in $url_shorteners
37                     or .href_url.domain.domain in $social_landing_hosts
38                     // or the page has been taken down
39                     or (
40                       // find any links that mention common "action" words
41                       regex.icontains(.display_text,
42                                       '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
43                       )
44                       and (
45                         // and when visiting those links, are phishing
46                         ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
47  
48                         // hit a captcha page
49                         or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
50  
51                         // or the page redirects to common website, observed when evasion happens
52                         or (
53                           length(ml.link_analysis(., mode="aggressive").redirect_history
54                           ) > 0
55                           and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
56                         )
57                       )
58                     )
59                   )
60            )
61          )
62  )  
63
64attack_types:
65  - "Credential Phishing"
66  - "Malware/Ransomware"
67tactics_and_techniques:
68  - "Evasion"
69  - "Free file host"
70  - "Free subdomain host"
71  - "Open redirect"
72detection_methods:
73  - "URL analysis"
74  - "Whois"
75  - "Content analysis"
76id: "78a5d035-8003-59e5-821d-4d6d5c40c4da"
to-top