Link: Multistage landing - Trello board abuse
Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders.
Sublime rule (View on GitHub)
1name: "Link: Multistage landing - Trello board abuse"
2description: "Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(filter(body.links,
8 .href_url.domain.root_domain == "trello.com"
9 and strings.istarts_with(.href_url.path, "/b/")
10 ),
11 // avoid doing LinkAnalysis if the display-text has strong indications of phishing
12 (
13 // replace confusables - observed ITW
14 regex.icontains(strings.replace_confusables(.display_text),
15 'review|proposal|document|efax|restore|[o0]pen|secure|messaging|reset|account|verify|login|notification|alert|urgent|immediate|access|support|\bupdate\b|download|attachment|service|payment|remittance|invoice|rfp|rfi|pdf|doc'
16 )
17 and not regex.icontains(strings.replace_confusables(.display_text),
18 'customer service'
19 )
20 // add confidence to these strings by using profile.by_sender()
21 and (
22 not profile.by_sender_email().solicited
23 and profile.by_sender_email().prevalence in ('new', 'outlier')
24 )
25 )
26 or any(ml.link_analysis(.).additional_responses,
27 // less than 4 cards on the Trello board
28 length(.json['cards']) < 4
29 or any(.json['cards'],
30 // suspicious link in a card title
31 (
32 strings.parse_url(.['name']).domain.valid
33 and (
34 ml.link_analysis(strings.parse_url(.['name'])).credphish.disposition == "phishing"
35 or ml.link_analysis(strings.parse_url(.['name'])).credphish.contains_captcha
36 // CF Turnstile
37 or any(ml.link_analysis(strings.parse_url(.['name'])).unique_urls_accessed,
38 .domain.domain == "challenges.cloudflare.com"
39 )
40 )
41 )
42 // Trello detected a malicious card attachment
43 or .['badges']['maliciousAttachments'] > 0
44 )
45 // Trello has blocked the user account
46 or any(.json['members'], .['activityBlocked'] == true)
47 // the user is the sole member of their Trello account and is the admin
48 or (
49 length(.json['memberships']) == 1
50 and all(.json['memberships'], .['orgMemberType'] == "admin")
51 )
52 )
53 )
54
55attack_types:
56 - "Credential Phishing"
57tactics_and_techniques:
58 - "Free file host"
59 - "Social engineering"
60detection_methods:
61 - "URL analysis"
62 - "Content analysis"
63 - "Sender analysis"
64 - "URL screenshot"
65id: "14a5b23a-2432-5c58-a3c4-1f0606977dcc"