Link: Multistage landing - Trello board abuse

Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Link: Multistage landing - Trello board abuse"
 2description: "Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(body.links,
 8                 .href_url.domain.root_domain == "trello.com"
 9                 and strings.istarts_with(.href_url.path, "/b/")
10          ),
11          // avoid doing LinkAnalysis if the display-text has strong indications of phishing
12          (
13            // replace confusables - observed ITW
14            regex.icontains(strings.replace_confusables(.display_text),
15                            'review|proposal|document|efax|restore|[o0]pen|secure|messaging|reset|account|verify|login|notification|alert|urgent|immediate|access|support|\bupdate\b|download|attachment|service|payment|remittance|invoice|rfp|rfi|pdf|doc'
16            )
17            and not regex.icontains(strings.replace_confusables(.display_text),
18                                    'customer service'
19            )
20            // add confidence to these strings by using profile.by_sender()
21            and (
22              not profile.by_sender_email().solicited
23              and profile.by_sender_email().prevalence in ('new', 'outlier')
24            )
25          )
26          or any(ml.link_analysis(.).additional_responses,
27                 // less than 4 cards on the Trello board
28                 length(.json['cards']) < 4
29                 or any(.json['cards'],
30                        // suspicious link in a card title
31                        (
32                          strings.parse_url(.['name']).domain.valid
33                          and (
34                            ml.link_analysis(strings.parse_url(.['name'])).credphish.disposition == "phishing"
35                            or ml.link_analysis(strings.parse_url(.['name'])).credphish.contains_captcha
36                            // CF Turnstile
37                            or any(ml.link_analysis(strings.parse_url(.['name'])).unique_urls_accessed,
38                                   .domain.domain == "challenges.cloudflare.com"
39                            )
40                          )
41                        )
42                        // Trello detected a malicious card attachment
43                        or .['badges']['maliciousAttachments'] > 0
44                 )
45                 // Trello has blocked the user account
46                 or any(.json['members'], .['activityBlocked'] == true)
47                 // the user is the sole member of their Trello account and is the admin
48                 or (
49                   length(.json['memberships']) == 1
50                   and all(.json['memberships'], .['orgMemberType'] == "admin")
51                 )
52          )
53  )  
54
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Free file host"
59  - "Social engineering"
60detection_methods:
61  - "URL analysis"
62  - "Content analysis"
63  - "Sender analysis"
64  - "URL screenshot"
65id: "14a5b23a-2432-5c58-a3c4-1f0606977dcc"
to-top