Suspicious message with unscannable Cloudflare link
This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Suspicious message with unscannable Cloudflare link"
2description: "This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 // few links
10 0 < length(body.links) < 20
11 // fewer unique root domain links
12 and length(distinct(body.links, .href_url.domain.root_domain)) < 10
13 // sender domain matches no body domains
14 and all(body.links,
15 .href_url.domain.root_domain != sender.email.domain.root_domain
16 )
17 )
18 or beta.scan_qr(file.message_screenshot()).found
19 )
20
21 // negate bouncebacks and undeliverables
22 and not any(attachments,
23 .content_type in (
24 "message/global-delivery-status",
25 "message/delivery-status"
26 )
27 )
28
29 // suspicious subject or display name
30 and (
31 regex.icontains(subject.subject,
32 "termination.*notice",
33 "38417",
34 ":completed",
35 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
36 "[il][il][il]egai[ -]",
37 "[li][li][li]ega[li] attempt",
38 "[ng]-?[io]n .*block",
39 "[ng]-?[io]n .*cancel",
40 "[ng]-?[io]n .*deactiv",
41 "[ng]-?[io]n .*disabl",
42 "action.*required",
43 "abandon.*package",
44 "about.your.account",
45 "acc(ou)?n?t (is )?on ho[li]d",
46 "acc(ou)?n?t.*terminat",
47 "acc(oun)?t.*[il1]{2}mitation",
48 "access.*limitation",
49 "account (will be )?block",
50 "account.*de-?activat",
51 "account.*locked",
52 "account.*re-verification",
53 "account.*security",
54 "account.*suspension",
55 "account.has.been",
56 "account.has.expired",
57 "account.will.be.blocked",
58 "account v[il]o[li]at",
59 "activity.*acc(oun)?t",
60 "almost.full",
61 "app[li]e.[il]d",
62 "authenticate.*account",
63 "been.*suspend",
64 "clos.*of.*account.*processed",
65 "confirm.your.account",
66 "courier.*able",
67 "crediential.*notif",
68 "deactivation.*in.*progress",
69 "delivery.*attempt.*failed",
70 "document.received",
71 "documented.*shared.*with.*you",
72 "dropbox.*document",
73 "e-?ma[il1]+ .{010}suspen",
74 "e-?ma[il1]{1} user",
75 "e-?ma[il1]{2} acc",
76 "e-?ma[il1]{2}.*up.?grade",
77 "e.?ma[il1]{2}.*server",
78 "e.?ma[il1]{2}.*suspend",
79 "email.update",
80 "faxed you",
81 "fraud(ulent)?.*charge",
82 "from.helpdesk",
83 "fu[il1]{2}.*ma[il1]+[ -]?box",
84 "has.been.*suspended",
85 "has.been.limited",
86 "have.locked",
87 "he[li]p ?desk upgrade",
88 "heipdesk",
89 "i[il]iega[il]",
90 "ii[il]ega[il]",
91 "incoming e?mail",
92 "incoming.*fax",
93 "lock.*security",
94 "ma[il1]{1}[ -]?box.*quo",
95 "ma[il1]{2}[ -]?box.*fu[il1]",
96 "ma[il1]{2}box.*[il1]{2}mit",
97 "ma[il1]{2}box stor",
98 "mail on.?hold",
99 "mail.*box.*migration",
100 "mail.*de-?activat",
101 "mail.update.required",
102 "mails.*pending",
103 "messages.*pending",
104 "missed.*shipping.*notification",
105 "missed.shipment.notification",
106 "must.update.your.account",
107 "new [sl][io]g?[nig][ -]?in from",
108 "new voice ?-?mail",
109 "notifications.*pending",
110 "office.*3.*6.*5.*suspend",
111 "office365",
112 "on google docs with you",
113 "online doc",
114 "password.*compromised",
115 "periodic maintenance",
116 "potential(ly)? unauthorized",
117 "refund not approved",
118 "report",
119 "revised.*policy",
120 "scam",
121 "scanned.?invoice",
122 "secured?.update",
123 "security breach",
124 "securlty",
125 "signed.*delivery",
126 "statement is ready",
127 "status of your .{314}? ?delivery",
128 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
129 "suspicious.*sign.*[io]n",
130 "suspicious.activit",
131 "temporar(il)?y deactivate",
132 "temporar[il1]{2}y disab[li]ed",
133 "temporarily.*lock",
134 "un-?usua[li].activity",
135 "unable.*deliver",
136 "unauthorized.*activit",
137 "unauthorized.device",
138 "undelivered message",
139 "unread.*doc",
140 "unusual.activity",
141 "upgrade.*account",
142 "upgrade.notice",
143 "urgent message",
144 "urgent.verification",
145 "v[il1]o[li1]at[il1]on security",
146 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
147 "verification ?-?require",
148 "verification( )?-?need",
149 "verify.your?.account",
150 "web ?-?ma[il1]{2}",
151 "web[ -]?ma[il1]{2}",
152 "will.be.suspended",
153 "your (customer )?account .as",
154 "your.office.365",
155 "your.online.access"
156 )
157 or any($suspicious_subjects, strings.icontains(subject.subject, .))
158 or regex.icontains(sender.display_name,
159 "Admin",
160 "Administrator",
161 "Alert",
162 "Assistant",
163 "Billing",
164 "Benefits",
165 "Bonus",
166 "CEO",
167 "CFO",
168 "CIO",
169 "CTO",
170 "Chairman",
171 "Claim",
172 "Confirm",
173 "Critical",
174 "Customer Service",
175 "Deal",
176 "Discount",
177 "Director",
178 "Exclusive",
179 "Executive",
180 "Fax",
181 "Free",
182 "Gift",
183 "/bHR/b",
184 "Helpdesk",
185 "Human Resources",
186 "Immediate",
187 "Important",
188 "Info",
189 "Information",
190 "Invoice",
191 '\bIT\b',
192 "Legal",
193 "Lottery",
194 "Management",
195 "Manager",
196 "Member Services",
197 "Notification",
198 "Offer",
199 "Operations",
200 "Order",
201 "Partner",
202 "Payment",
203 "Payroll",
204 "President",
205 "Premium",
206 "Prize",
207 "Receipt",
208 "Refund",
209 "Registrar",
210 "Required",
211 "Reward",
212 "Sales",
213 "Secretary",
214 "Security",
215 "Service",
216 "Signature",
217 "SSA",
218 "Storage",
219 "Support",
220 "Sweepstakes",
221 "System",
222 "Tax",
223 "Tech Support",
224 "Update",
225 "Upgrade",
226 "Urgent",
227 "Validate",
228 "Verify",
229 "VIP",
230 "Webmaster",
231 "Winner",
232 )
233 or any(body.links, strings.ends_with(.href_url.url, ".exe"))
234 )
235
236 // link can't be scanned due to Cloudflare captcha
237 and (
238 any(body.links,
239 (
240 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
241 "cloudflare"
242 )
243 // includes the turnstile CAPTCHA
244 or (
245 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
246 'https://challenges.cloudflare.com/turnstile/'
247 )
248 // has a short body length indicating the page is gated behind the turnstile instead
249 // of just including the turnstile
250 and length((
251 ml.link_analysis(., mode="aggressive").final_dom.display_text
252 )
253 ) < 200
254 )
255 )
256 and not (
257 ( // a Cloudflare error page
258 strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
259 "*error code*"
260 )
261 and any(ml.link_analysis(., mode="aggressive").final_dom.links,
262 strings.icontains(.href_url.query_params,
263 "utm_source=errorcode"
264 )
265 )
266 ) // a cookie warning mentioning Cloudflare
267 or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
268 "cookie.{0,50}Cloudflare"
269 )
270 or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
271 "marketbeat.com"
272 )
273 )
274 )
275 or any(beta.scan_qr(file.message_screenshot()).items,
276 .type == "url"
277 and (
278 strings.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
279 "cloudflare"
280 )
281 // includes the turnstile CAPTCHA
282 or (
283 strings.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.raw,
284 'https://challenges.cloudflare.com/turnstile/'
285 )
286 // has a short body length indicating the page is gated behind the turnstile instead
287 // of just including the turnstile
288 and length((
289 ml.link_analysis(.url, mode="aggressive").final_dom.display_text
290 )
291 ) < 200
292 )
293 )
294 and not (
295 ( // a Cloudflare error page
296 strings.ilike(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
297 "*error code*"
298 )
299 and any(ml.link_analysis(.url, mode="aggressive").final_dom.links,
300 strings.icontains(.href_url.query_params,
301 "utm_source=errorcode"
302 )
303 )
304 ) // a cookie warning mentioning Cloudflare
305 or regex.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
306 "cookie.{0,50}Cloudflare"
307 )
308 or ml.link_analysis(.url, mode="aggressive").effective_url.domain.root_domain in (
309 "marketbeat.com"
310 )
311 )
312 )
313 )
314 and (
315 not profile.by_sender_email().solicited
316 or (
317 profile.by_sender().any_messages_malicious_or_spam
318 and not profile.by_sender().any_messages_benign
319 )
320 )
321 // negate highly trusted sender domains unless they fail DMARC authentication
322 and (
323 (
324 sender.email.domain.root_domain in $high_trust_sender_root_domains
325 and not headers.auth_summary.dmarc.pass
326 )
327 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
328 )
329 and not profile.by_sender().any_messages_benign
330
331tags:
332 - "Attack surface reduction"
333attack_types:
334 - "Credential Phishing"
335detection_methods:
336 - "Content analysis"
337 - "Header analysis"
338 - "URL analysis"
339 - "Sender analysis"
340id: "70ea21f9-2a88-5e33-81a2-4f3384080a04"