Suspicious message with unscannable Cloudflare link
This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Suspicious message with unscannable Cloudflare link"
2description: "This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and ( // sender domain matches no body domains
8 0 < length(body.links) < 10
9 and all(body.links,
10 .href_url.domain.root_domain != sender.email.domain.root_domain
11 )
12 )
13
14 // negate bouncebacks and undeliverables
15 and not any(attachments,
16 .content_type in (
17 "message/global-delivery-status",
18 "message/delivery-status"
19 )
20 )
21
22 // suspicious subject or display name
23 and (
24 regex.icontains(subject.subject,
25 "termination.*notice",
26 "38417",
27 ":completed",
28 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
29 "[il][il][il]egai[ -]",
30 "[li][li][li]ega[li] attempt",
31 "[ng]-?[io]n .*block",
32 "[ng]-?[io]n .*cancel",
33 "[ng]-?[io]n .*deactiv",
34 "[ng]-?[io]n .*disabl",
35 "action.*required",
36 "abandon.*package",
37 "about.your.account",
38 "acc(ou)?n?t (is )?on ho[li]d",
39 "acc(ou)?n?t.*terminat",
40 "acc(oun)?t.*[il1]{2}mitation",
41 "access.*limitation",
42 "account (will be )?block",
43 "account.*de-?activat",
44 "account.*locked",
45 "account.*re-verification",
46 "account.*security",
47 "account.*suspension",
48 "account.has.been",
49 "account.has.expired",
50 "account.will.be.blocked",
51 "account v[il]o[li]at",
52 "activity.*acc(oun)?t",
53 "almost.full",
54 "app[li]e.[il]d",
55 "authenticate.*account",
56 "been.*suspend",
57 "clos.*of.*account.*processed",
58 "confirm.your.account",
59 "courier.*able",
60 "crediential.*notif",
61 "deactivation.*in.*progress",
62 "delivery.*attempt.*failed",
63 "document.received",
64 "documented.*shared.*with.*you",
65 "dropbox.*document",
66 "e-?ma[il1]+ .{010}suspen",
67 "e-?ma[il1]{1} user",
68 "e-?ma[il1]{2} acc",
69 "e-?ma[il1]{2}.*up.?grade",
70 "e.?ma[il1]{2}.*server",
71 "e.?ma[il1]{2}.*suspend",
72 "email.update",
73 "faxed you",
74 "fraud(ulent)?.*charge",
75 "from.helpdesk",
76 "fu[il1]{2}.*ma[il1]+[ -]?box",
77 "has.been.*suspended",
78 "has.been.limited",
79 "have.locked",
80 "he[li]p ?desk upgrade",
81 "heipdesk",
82 "i[il]iega[il]",
83 "ii[il]ega[il]",
84 "incoming e?mail",
85 "incoming.*fax",
86 "lock.*security",
87 "ma[il1]{1}[ -]?box.*quo",
88 "ma[il1]{2}[ -]?box.*fu[il1]",
89 "ma[il1]{2}box.*[il1]{2}mit",
90 "ma[il1]{2}box stor",
91 "mail on.?hold",
92 "mail.*box.*migration",
93 "mail.*de-?activat",
94 "mail.update.required",
95 "mails.*pending",
96 "messages.*pending",
97 "missed.*shipping.*notification",
98 "missed.shipment.notification",
99 "must.update.your.account",
100 "new [sl][io]g?[nig][ -]?in from",
101 "new voice ?-?mail",
102 "notifications.*pending",
103 "office.*3.*6.*5.*suspend",
104 "office365",
105 "on google docs with you",
106 "online doc",
107 "password.*compromised",
108 "periodic maintenance",
109 "potential(ly)? unauthorized",
110 "refund not approved",
111 "report",
112 "revised.*policy",
113 "scam",
114 "scanned.?invoice",
115 "secured?.update",
116 "security breach",
117 "securlty",
118 "signed.*delivery",
119 "status of your .{314}? ?delivery",
120 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
121 "suspicious.*sign.*[io]n",
122 "suspicious.activit",
123 "temporar(il)?y deactivate",
124 "temporar[il1]{2}y disab[li]ed",
125 "temporarily.*lock",
126 "un-?usua[li].activity",
127 "unable.*deliver",
128 "unauthorized.*activit",
129 "unauthorized.device",
130 "undelivered message",
131 "unread.*doc",
132 "unusual.activity",
133 "upgrade.*account",
134 "upgrade.notice",
135 "urgent message",
136 "urgent.verification",
137 "v[il1]o[li1]at[il1]on security",
138 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
139 "verification ?-?require",
140 "verification( )?-?need",
141 "verify.your?.account",
142 "web ?-?ma[il1]{2}",
143 "web[ -]?ma[il1]{2}",
144 "will.be.suspended",
145 "your (customer )?account .as",
146 "your.office.365",
147 "your.online.access"
148 )
149 or any($suspicious_subjects, strings.icontains(subject.subject, .))
150 or regex.icontains(sender.display_name,
151 "Admin",
152 "Administrator",
153 "Alert",
154 "Assistant",
155 "Billing",
156 "Benefits",
157 "Bonus",
158 "CEO",
159 "CFO",
160 "CIO",
161 "CTO",
162 "Chairman",
163 "Claim",
164 "Confirm",
165 "Critical",
166 "Customer Service",
167 "Deal",
168 "Discount",
169 "Director",
170 "Exclusive",
171 "Executive",
172 "Fax",
173 "Free",
174 "Gift",
175 "/bHR/b",
176 "Helpdesk",
177 "Human Resources",
178 "Immediate",
179 "Important",
180 "Info",
181 "Information",
182 "Invoice",
183 '\bIT\b',
184 "Legal",
185 "Lottery",
186 "Management",
187 "Manager",
188 "Member Services",
189 "Notification",
190 "Offer",
191 "Operations",
192 "Order",
193 "Partner",
194 "Payment",
195 "Payroll",
196 "President",
197 "Premium",
198 "Prize",
199 "Receipt",
200 "Refund",
201 "Registrar",
202 "Required",
203 "Reward",
204 "Sales",
205 "Secretary",
206 "Security",
207 "Service",
208 "Signature",
209 "Storage",
210 "Support",
211 "Sweepstakes",
212 "System",
213 "Tax",
214 "Tech Support",
215 "Update",
216 "Upgrade",
217 "Urgent",
218 "Validate",
219 "Verify",
220 "VIP",
221 "Webmaster",
222 "Winner",
223 )
224 )
225
226 // link can't be scanned due to Cloudflare captcha
227 and any(body.links,
228 (
229 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
230 "cloudflare"
231 )
232 // includes the turnstile CAPTCHA
233 or (
234 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
235 'https://challenges.cloudflare.com/turnstile/'
236 )
237 // has a short body length indicating the page is gated behind the turnstile instead
238 // of just including the turnstile
239 and length((
240 ml.link_analysis(., mode="aggressive").final_dom.display_text
241 )
242 ) < 200
243 )
244 )
245 and not (
246 ( // a Cloudflare error page
247 strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
248 "*error code*"
249 )
250 and any(ml.link_analysis(., mode="aggressive").final_dom.links,
251 strings.icontains(.href_url.query_params,
252 "utm_source=errorcode"
253 )
254 )
255 ) // a cookie warning mentioning Cloudflare
256 or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
257 "cookie.{0,50}Cloudflare"
258 )
259 or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
260 "marketbeat.com"
261 )
262 )
263 )
264 and (
265 not profile.by_sender().solicited
266 or (
267 profile.by_sender().any_messages_malicious_or_spam
268 and not profile.by_sender().any_false_positives
269 )
270 )
271 // negate highly trusted sender domains unless they fail DMARC authentication
272 and (
273 (
274 sender.email.domain.root_domain in $high_trust_sender_root_domains
275 and not headers.auth_summary.dmarc.pass
276 )
277 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
278 )
279 and not profile.by_sender().any_false_positives
280
281tags:
282 - "Attack surface reduction"
283attack_types:
284 - "Credential Phishing"
285detection_methods:
286 - "Content analysis"
287 - "Header analysis"
288 - "URL analysis"
289 - "Sender analysis"
290id: "70ea21f9-2a88-5e33-81a2-4f3384080a04"