Suspicious message with unscannable Cloudflare link

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Sublime rule (View on GitHub)

  1name: "Suspicious message with unscannable Cloudflare link"
  2description: "This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      // few links
 10      0 < length(body.links) < 20
 11      // fewer unique root domain links
 12      and length(distinct(body.links, .href_url.domain.root_domain)) < 10
 13      // sender domain matches no body domains
 14      and all(body.links,
 15              .href_url.domain.root_domain != sender.email.domain.root_domain
 16      )
 17    )
 18    or beta.scan_qr(file.message_screenshot()).found
 19  )
 20  
 21  // negate bouncebacks and undeliverables
 22  and not any(attachments,
 23              .content_type in (
 24                "message/global-delivery-status",
 25                "message/delivery-status"
 26              )
 27  )
 28  
 29  // suspicious subject or display name
 30  and (
 31    regex.icontains(subject.subject,
 32                    "termination.*notice",
 33                    "38417",
 34                    ":completed",
 35                    "[il1]{2}mit.*ma[il1]{2} ?bo?x",
 36                    "[il][il][il]egai[ -]",
 37                    "[li][li][li]ega[li] attempt",
 38                    "[ng]-?[io]n .*block",
 39                    "[ng]-?[io]n .*cancel",
 40                    "[ng]-?[io]n .*deactiv",
 41                    "[ng]-?[io]n .*disabl",
 42                    "action.*required",
 43                    "abandon.*package",
 44                    "about.your.account",
 45                    "acc(ou)?n?t (is )?on ho[li]d",
 46                    "acc(ou)?n?t.*terminat",
 47                    "acc(oun)?t.*[il1]{2}mitation",
 48                    "access.*limitation",
 49                    "account (will be )?block",
 50                    "account.*de-?activat",
 51                    "account.*locked",
 52                    "account.*re-verification",
 53                    "account.*security",
 54                    "account.*suspension",
 55                    "account.has.been",
 56                    "account.has.expired",
 57                    "account.will.be.blocked",
 58                    "account v[il]o[li]at",
 59                    "activity.*acc(oun)?t",
 60                    "almost.full",
 61                    "app[li]e.[il]d",
 62                    "authenticate.*account",
 63                    "been.*suspend",
 64                    "clos.*of.*account.*processed",
 65                    "confirm.your.account",
 66                    "courier.*able",
 67                    "crediential.*notif",
 68                    "deactivation.*in.*progress",
 69                    "delivery.*attempt.*failed",
 70                    "document.received",
 71                    "documented.*shared.*with.*you",
 72                    "dropbox.*document",
 73                    "e-?ma[il1]+ .{010}suspen",
 74                    "e-?ma[il1]{1} user",
 75                    "e-?ma[il1]{2} acc",
 76                    "e-?ma[il1]{2}.*up.?grade",
 77                    "e.?ma[il1]{2}.*server",
 78                    "e.?ma[il1]{2}.*suspend",
 79                    "email.update",
 80                    "faxed you",
 81                    "fraud(ulent)?.*charge",
 82                    "from.helpdesk",
 83                    "fu[il1]{2}.*ma[il1]+[ -]?box",
 84                    "has.been.*suspended",
 85                    "has.been.limited",
 86                    "have.locked",
 87                    "he[li]p ?desk upgrade",
 88                    "heipdesk",
 89                    "i[il]iega[il]",
 90                    "ii[il]ega[il]",
 91                    "incoming e?mail",
 92                    "incoming.*fax",
 93                    "lock.*security",
 94                    "ma[il1]{1}[ -]?box.*quo",
 95                    "ma[il1]{2}[ -]?box.*fu[il1]",
 96                    "ma[il1]{2}box.*[il1]{2}mit",
 97                    "ma[il1]{2}box stor",
 98                    "mail on.?hold",
 99                    "mail.*box.*migration",
100                    "mail.*de-?activat",
101                    "mail.update.required",
102                    "mails.*pending",
103                    "messages.*pending",
104                    "missed.*shipping.*notification",
105                    "missed.shipment.notification",
106                    "must.update.your.account",
107                    "new [sl][io]g?[nig][ -]?in from",
108                    "new voice ?-?mail",
109                    "notifications.*pending",
110                    "office.*3.*6.*5.*suspend",
111                    "office365",
112                    "on google docs with you",
113                    "online doc",
114                    "password.*compromised",
115                    "periodic maintenance",
116                    "potential(ly)? unauthorized",
117                    "refund not approved",
118                    "report",
119                    "revised.*policy",
120                    "scam",
121                    "scanned.?invoice",
122                    "secured?.update",
123                    "security breach",
124                    "securlty",
125                    "signed.*delivery",
126                    "statement is ready",
127                    "status of your .{314}? ?delivery",
128                    "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
129                    "suspicious.*sign.*[io]n",
130                    "suspicious.activit",
131                    "temporar(il)?y deactivate",
132                    "temporar[il1]{2}y disab[li]ed",
133                    "temporarily.*lock",
134                    "un-?usua[li].activity",
135                    "unable.*deliver",
136                    "unauthorized.*activit",
137                    "unauthorized.device",
138                    "undelivered message",
139                    "unread.*doc",
140                    "unusual.activity",
141                    "upgrade.*account",
142                    "upgrade.notice",
143                    "urgent message",
144                    "urgent.verification",
145                    "v[il1]o[li1]at[il1]on security",
146                    "va[il1]{1}date.*ma[il1]{2}[ -]?box",
147                    "verification ?-?require",
148                    "verification( )?-?need",
149                    "verify.your?.account",
150                    "web ?-?ma[il1]{2}",
151                    "web[ -]?ma[il1]{2}",
152                    "will.be.suspended",
153                    "your (customer )?account .as",
154                    "your.office.365",
155                    "your.online.access"
156    )
157    or any($suspicious_subjects, strings.icontains(subject.subject, .))
158    or regex.icontains(sender.display_name,
159                       "Admin",
160                       "Administrator",
161                       "Alert",
162                       "Assistant",
163                       "Billing",
164                       "Benefits",
165                       "Bonus",
166                       "CEO",
167                       "CFO",
168                       "CIO",
169                       "CTO",
170                       "Chairman",
171                       "Claim",
172                       "Confirm",
173                       "Critical",
174                       "Customer Service",
175                       "Deal",
176                       "Discount",
177                       "Director",
178                       "Exclusive",
179                       "Executive",
180                       "Fax",
181                       "Free",
182                       "Gift",
183                       "/bHR/b",
184                       "Helpdesk",
185                       "Human Resources",
186                       "Immediate",
187                       "Important",
188                       "Info",
189                       "Information",
190                       "Invoice",
191                       '\bIT\b',
192                       "Legal",
193                       "Lottery",
194                       "Management",
195                       "Manager",
196                       "Member Services",
197                       "Notification",
198                       "Offer",
199                       "Operations",
200                       "Order",
201                       "Partner",
202                       "Payment",
203                       "Payroll",
204                       "President",
205                       "Premium",
206                       "Prize",
207                       "Receipt",
208                       "Refund",
209                       "Registrar",
210                       "Required",
211                       "Reward",
212                       "Sales",
213                       "Secretary",
214                       "Security",
215                       "Service",
216                       "Signature",
217                       "SSA",
218                       "Storage",
219                       "Support",
220                       "Sweepstakes",
221                       "System",
222                       "Tax",
223                       "Tech Support",
224                       "Update",
225                       "Upgrade",
226                       "Urgent",
227                       "Validate",
228                       "Verify",
229                       "VIP",
230                       "Webmaster",
231                       "Winner",
232    )
233    or any(body.links, strings.ends_with(.href_url.url, ".exe"))
234  )
235  
236  // link can't be scanned due to Cloudflare captcha
237  and (
238    any(body.links,
239        (
240          strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
241                            "cloudflare"
242          )
243          // includes the turnstile CAPTCHA
244          or (
245            strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
246                              'https://challenges.cloudflare.com/turnstile/'
247            )
248            // has a short body length indicating the page is gated behind the turnstile instead
249            // of just including the turnstile
250            and length((
251                         ml.link_analysis(., mode="aggressive").final_dom.display_text
252                       )
253            ) < 200
254          )
255        )
256        and not (
257          ( // a Cloudflare error page
258            strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
259                          "*error code*"
260            )
261            and any(ml.link_analysis(., mode="aggressive").final_dom.links,
262                    strings.icontains(.href_url.query_params,
263                                      "utm_source=errorcode"
264                    )
265            )
266          ) // a cookie warning mentioning Cloudflare
267          or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
268                             "cookie.{0,50}Cloudflare"
269          )
270          or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
271            "marketbeat.com"
272          )
273        )
274    )
275    or any(beta.scan_qr(file.message_screenshot()).items,
276           .type == "url"
277           and (
278             strings.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
279                               "cloudflare"
280             )
281             // includes the turnstile CAPTCHA
282             or (
283               strings.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.raw,
284                                 'https://challenges.cloudflare.com/turnstile/'
285               )
286               // has a short body length indicating the page is gated behind the turnstile instead
287               // of just including the turnstile
288               and length((
289                            ml.link_analysis(.url, mode="aggressive").final_dom.display_text
290                          )
291               ) < 200
292             )
293           )
294           and not (
295             ( // a Cloudflare error page
296               strings.ilike(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
297                             "*error code*"
298               )
299               and any(ml.link_analysis(.url, mode="aggressive").final_dom.links,
300                       strings.icontains(.href_url.query_params,
301                                         "utm_source=errorcode"
302                       )
303               )
304             ) // a cookie warning mentioning Cloudflare
305             or regex.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
306                                "cookie.{0,50}Cloudflare"
307             )
308             or ml.link_analysis(.url, mode="aggressive").effective_url.domain.root_domain in (
309               "marketbeat.com"
310             )
311           )
312    )
313  )
314  and (
315    not profile.by_sender_email().solicited
316    or (
317      profile.by_sender().any_messages_malicious_or_spam
318      and not profile.by_sender().any_messages_benign
319    )
320  )
321  // negate highly trusted sender domains unless they fail DMARC authentication
322  and (
323    (
324      sender.email.domain.root_domain in $high_trust_sender_root_domains
325      and not headers.auth_summary.dmarc.pass
326    )
327    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
328  )
329  and not profile.by_sender().any_messages_benign  
330
331tags:
332  - "Attack surface reduction"
333attack_types:
334  - "Credential Phishing"
335detection_methods:
336  - "Content analysis"
337  - "Header analysis"
338  - "URL analysis"
339  - "Sender analysis"
340id: "70ea21f9-2a88-5e33-81a2-4f3384080a04"

Related rules

to-top