Suspicious message with unscannable Cloudflare link
This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Suspicious message with unscannable Cloudflare link"
2description: "This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // few links
9 0 < length(body.links) < 20
10 // fewer unique root domain links
11 and length(distinct(body.links, .href_url.domain.root_domain)) < 10
12 // sender domain matches no body domains
13 and all(body.links,
14 .href_url.domain.root_domain != sender.email.domain.root_domain
15 )
16 )
17
18 // negate bouncebacks and undeliverables
19 and not any(attachments,
20 .content_type in (
21 "message/global-delivery-status",
22 "message/delivery-status"
23 )
24 )
25
26 // suspicious subject or display name
27 and (
28 regex.icontains(subject.subject,
29 "termination.*notice",
30 "38417",
31 ":completed",
32 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
33 "[il][il][il]egai[ -]",
34 "[li][li][li]ega[li] attempt",
35 "[ng]-?[io]n .*block",
36 "[ng]-?[io]n .*cancel",
37 "[ng]-?[io]n .*deactiv",
38 "[ng]-?[io]n .*disabl",
39 "action.*required",
40 "abandon.*package",
41 "about.your.account",
42 "acc(ou)?n?t (is )?on ho[li]d",
43 "acc(ou)?n?t.*terminat",
44 "acc(oun)?t.*[il1]{2}mitation",
45 "access.*limitation",
46 "account (will be )?block",
47 "account.*de-?activat",
48 "account.*locked",
49 "account.*re-verification",
50 "account.*security",
51 "account.*suspension",
52 "account.has.been",
53 "account.has.expired",
54 "account.will.be.blocked",
55 "account v[il]o[li]at",
56 "activity.*acc(oun)?t",
57 "almost.full",
58 "app[li]e.[il]d",
59 "authenticate.*account",
60 "been.*suspend",
61 "clos.*of.*account.*processed",
62 "confirm.your.account",
63 "courier.*able",
64 "crediential.*notif",
65 "deactivation.*in.*progress",
66 "delivery.*attempt.*failed",
67 "document.received",
68 "documented.*shared.*with.*you",
69 "dropbox.*document",
70 "e-?ma[il1]+ .{010}suspen",
71 "e-?ma[il1]{1} user",
72 "e-?ma[il1]{2} acc",
73 "e-?ma[il1]{2}.*up.?grade",
74 "e.?ma[il1]{2}.*server",
75 "e.?ma[il1]{2}.*suspend",
76 "email.update",
77 "faxed you",
78 "fraud(ulent)?.*charge",
79 "from.helpdesk",
80 "fu[il1]{2}.*ma[il1]+[ -]?box",
81 "has.been.*suspended",
82 "has.been.limited",
83 "have.locked",
84 "he[li]p ?desk upgrade",
85 "heipdesk",
86 "i[il]iega[il]",
87 "ii[il]ega[il]",
88 "incoming e?mail",
89 "incoming.*fax",
90 "lock.*security",
91 "ma[il1]{1}[ -]?box.*quo",
92 "ma[il1]{2}[ -]?box.*fu[il1]",
93 "ma[il1]{2}box.*[il1]{2}mit",
94 "ma[il1]{2}box stor",
95 "mail on.?hold",
96 "mail.*box.*migration",
97 "mail.*de-?activat",
98 "mail.update.required",
99 "mails.*pending",
100 "messages.*pending",
101 "missed.*shipping.*notification",
102 "missed.shipment.notification",
103 "must.update.your.account",
104 "new [sl][io]g?[nig][ -]?in from",
105 "new voice ?-?mail",
106 "notifications.*pending",
107 "office.*3.*6.*5.*suspend",
108 "office365",
109 "on google docs with you",
110 "online doc",
111 "password.*compromised",
112 "periodic maintenance",
113 "potential(ly)? unauthorized",
114 "refund not approved",
115 "report",
116 "revised.*policy",
117 "scam",
118 "scanned.?invoice",
119 "secured?.update",
120 "security breach",
121 "securlty",
122 "signed.*delivery",
123 "statement is ready",
124 "status of your .{314}? ?delivery",
125 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
126 "suspicious.*sign.*[io]n",
127 "suspicious.activit",
128 "temporar(il)?y deactivate",
129 "temporar[il1]{2}y disab[li]ed",
130 "temporarily.*lock",
131 "un-?usua[li].activity",
132 "unable.*deliver",
133 "unauthorized.*activit",
134 "unauthorized.device",
135 "undelivered message",
136 "unread.*doc",
137 "unusual.activity",
138 "upgrade.*account",
139 "upgrade.notice",
140 "urgent message",
141 "urgent.verification",
142 "v[il1]o[li1]at[il1]on security",
143 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
144 "verification ?-?require",
145 "verification( )?-?need",
146 "verify.your?.account",
147 "web ?-?ma[il1]{2}",
148 "web[ -]?ma[il1]{2}",
149 "will.be.suspended",
150 "your (customer )?account .as",
151 "your.office.365",
152 "your.online.access"
153 )
154 or any($suspicious_subjects, strings.icontains(subject.subject, .))
155 or regex.icontains(sender.display_name,
156 "Admin",
157 "Administrator",
158 "Alert",
159 "Assistant",
160 "Billing",
161 "Benefits",
162 "Bonus",
163 "CEO",
164 "CFO",
165 "CIO",
166 "CTO",
167 "Chairman",
168 "Claim",
169 "Confirm",
170 "Critical",
171 "Customer Service",
172 "Deal",
173 "Discount",
174 "Director",
175 "Exclusive",
176 "Executive",
177 "Fax",
178 "Free",
179 "Gift",
180 "/bHR/b",
181 "Helpdesk",
182 "Human Resources",
183 "Immediate",
184 "Important",
185 "Info",
186 "Information",
187 "Invoice",
188 '\bIT\b',
189 "Legal",
190 "Lottery",
191 "Management",
192 "Manager",
193 "Member Services",
194 "Notification",
195 "Offer",
196 "Operations",
197 "Order",
198 "Partner",
199 "Payment",
200 "Payroll",
201 "President",
202 "Premium",
203 "Prize",
204 "Receipt",
205 "Refund",
206 "Registrar",
207 "Required",
208 "Reward",
209 "Sales",
210 "Secretary",
211 "Security",
212 "Service",
213 "Signature",
214 "SSA",
215 "Storage",
216 "Support",
217 "Sweepstakes",
218 "System",
219 "Tax",
220 "Tech Support",
221 "Update",
222 "Upgrade",
223 "Urgent",
224 "Validate",
225 "Verify",
226 "VIP",
227 "Webmaster",
228 "Winner",
229 )
230 or any(body.links, strings.ends_with(.href_url.url, ".exe"))
231 )
232
233 // link can't be scanned due to Cloudflare captcha
234 and any(body.links,
235 (
236 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
237 "cloudflare"
238 )
239 // includes the turnstile CAPTCHA
240 or (
241 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
242 'https://challenges.cloudflare.com/turnstile/'
243 )
244 // has a short body length indicating the page is gated behind the turnstile instead
245 // of just including the turnstile
246 and length((
247 ml.link_analysis(., mode="aggressive").final_dom.display_text
248 )
249 ) < 200
250 )
251 )
252 and not (
253 ( // a Cloudflare error page
254 strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
255 "*error code*"
256 )
257 and any(ml.link_analysis(., mode="aggressive").final_dom.links,
258 strings.icontains(.href_url.query_params,
259 "utm_source=errorcode"
260 )
261 )
262 ) // a cookie warning mentioning Cloudflare
263 or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
264 "cookie.{0,50}Cloudflare"
265 )
266 or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
267 "marketbeat.com"
268 )
269 )
270 )
271 and (
272 not profile.by_sender_email().solicited
273 or (
274 profile.by_sender().any_messages_malicious_or_spam
275 and not profile.by_sender().any_messages_benign
276 )
277 )
278 // negate highly trusted sender domains unless they fail DMARC authentication
279 and (
280 (
281 sender.email.domain.root_domain in $high_trust_sender_root_domains
282 and not headers.auth_summary.dmarc.pass
283 )
284 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
285 )
286 and not profile.by_sender().any_messages_benign
287
288tags:
289 - "Attack surface reduction"
290attack_types:
291 - "Credential Phishing"
292detection_methods:
293 - "Content analysis"
294 - "Header analysis"
295 - "URL analysis"
296 - "Sender analysis"
297id: "70ea21f9-2a88-5e33-81a2-4f3384080a04"