Suspicious message with unscannable Cloudflare link
This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Suspicious message with unscannable Cloudflare link"
2description: "This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and ( // sender domain matches no body domains
8 0 < length(body.links) < 10
9 and all(body.links,
10 .href_url.domain.root_domain != sender.email.domain.root_domain
11 )
12 )
13
14 // negate bouncebacks and undeliverables
15 and not any(attachments,
16 .content_type in (
17 "message/global-delivery-status",
18 "message/delivery-status"
19 )
20 )
21
22 // suspicious subject or display name
23 and (
24 regex.icontains(subject.subject,
25 "termination.*notice",
26 "38417",
27 ":completed",
28 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
29 "[il][il][il]egai[ -]",
30 "[li][li][li]ega[li] attempt",
31 "[ng]-?[io]n .*block",
32 "[ng]-?[io]n .*cancel",
33 "[ng]-?[io]n .*deactiv",
34 "[ng]-?[io]n .*disabl",
35 "action.*required",
36 "abandon.*package",
37 "about.your.account",
38 "acc(ou)?n?t (is )?on ho[li]d",
39 "acc(ou)?n?t.*terminat",
40 "acc(oun)?t.*[il1]{2}mitation",
41 "access.*limitation",
42 "account (will be )?block",
43 "account.*de-?activat",
44 "account.*locked",
45 "account.*re-verification",
46 "account.*security",
47 "account.*suspension",
48 "account.has.been",
49 "account.has.expired",
50 "account.will.be.blocked",
51 "account v[il]o[li]at",
52 "activity.*acc(oun)?t",
53 "almost.full",
54 "app[li]e.[il]d",
55 "authenticate.*account",
56 "been.*suspend",
57 "clos.*of.*account.*processed",
58 "confirm.your.account",
59 "courier.*able",
60 "crediential.*notif",
61 "deactivation.*in.*progress",
62 "delivery.*attempt.*failed",
63 "document.received",
64 "documented.*shared.*with.*you",
65 "dropbox.*document",
66 "e-?ma[il1]+ .{010}suspen",
67 "e-?ma[il1]{1} user",
68 "e-?ma[il1]{2} acc",
69 "e-?ma[il1]{2}.*up.?grade",
70 "e.?ma[il1]{2}.*server",
71 "e.?ma[il1]{2}.*suspend",
72 "email.update",
73 "faxed you",
74 "fraud(ulent)?.*charge",
75 "from.helpdesk",
76 "fu[il1]{2}.*ma[il1]+[ -]?box",
77 "has.been.*suspended",
78 "has.been.limited",
79 "have.locked",
80 "he[li]p ?desk upgrade",
81 "heipdesk",
82 "i[il]iega[il]",
83 "ii[il]ega[il]",
84 "incoming e?mail",
85 "incoming.*fax",
86 "lock.*security",
87 "ma[il1]{1}[ -]?box.*quo",
88 "ma[il1]{2}[ -]?box.*fu[il1]",
89 "ma[il1]{2}box.*[il1]{2}mit",
90 "ma[il1]{2}box stor",
91 "mail on.?hold",
92 "mail.*box.*migration",
93 "mail.*de-?activat",
94 "mail.update.required",
95 "mails.*pending",
96 "messages.*pending",
97 "missed.*shipping.*notification",
98 "missed.shipment.notification",
99 "must.update.your.account",
100 "new [sl][io]g?[nig][ -]?in from",
101 "new voice ?-?mail",
102 "notifications.*pending",
103 "office.*3.*6.*5.*suspend",
104 "office365",
105 "on google docs with you",
106 "online doc",
107 "password.*compromised",
108 "periodic maintenance",
109 "potential(ly)? unauthorized",
110 "refund not approved",
111 "report",
112 "revised.*policy",
113 "scam",
114 "scanned.?invoice",
115 "secured?.update",
116 "security breach",
117 "securlty",
118 "signed.*delivery",
119 "status of your .{314}? ?delivery",
120 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
121 "suspicious.*sign.*[io]n",
122 "suspicious.activit",
123 "temporar(il)?y deactivate",
124 "temporar[il1]{2}y disab[li]ed",
125 "temporarily.*lock",
126 "un-?usua[li].activity",
127 "unable.*deliver",
128 "unauthorized.*activit",
129 "unauthorized.device",
130 "undelivered message",
131 "unread.*doc",
132 "unusual.activity",
133 "upgrade.*account",
134 "upgrade.notice",
135 "urgent message",
136 "urgent.verification",
137 "v[il1]o[li1]at[il1]on security",
138 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
139 "verification ?-?require",
140 "verification( )?-?need",
141 "verify.your?.account",
142 "web ?-?ma[il1]{2}",
143 "web[ -]?ma[il1]{2}",
144 "will.be.suspended",
145 "your (customer )?account .as",
146 "your.office.365",
147 "your.online.access"
148 )
149 or any($suspicious_subjects, strings.icontains(subject.subject, .))
150 or regex.icontains(sender.display_name,
151 "Admin",
152 "Administrator",
153 "Alert",
154 "Assistant",
155 "Billing",
156 "Benefits",
157 "Bonus",
158 "CEO",
159 "CFO",
160 "CIO",
161 "CTO",
162 "Chairman",
163 "Claim",
164 "Confirm",
165 "Critical",
166 "Customer Service",
167 "Deal",
168 "Discount",
169 "Director",
170 "Exclusive",
171 "Executive",
172 "Fax",
173 "Free",
174 "Gift",
175 "/bHR/b",
176 "Helpdesk",
177 "Human Resources",
178 "Immediate",
179 "Important",
180 "Info",
181 "Information",
182 "Invoice",
183 '\bIT\b',
184 "Legal",
185 "Lottery",
186 "Management",
187 "Manager",
188 "Member Services",
189 "Notification",
190 "Offer",
191 "Operations",
192 "Order",
193 "Partner",
194 "Payment",
195 "Payroll",
196 "President",
197 "Premium",
198 "Prize",
199 "Receipt",
200 "Refund",
201 "Registrar",
202 "Required",
203 "Reward",
204 "Sales",
205 "Secretary",
206 "Security",
207 "Service",
208 "Signature",
209 "Storage",
210 "Support",
211 "Sweepstakes",
212 "System",
213 "Tax",
214 "Tech Support",
215 "Update",
216 "Upgrade",
217 "Urgent",
218 "Validate",
219 "Verify",
220 "VIP",
221 "Webmaster",
222 "Winner",
223 )
224 )
225
226 // link can't be scanned due to Cloudflare captcha
227 and any(body.links,
228 regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
229 "cloudflare"
230 )
231 and not (
232 ( // a Cloudflare error page
233 strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
234 "*error code*"
235 )
236 and any(ml.link_analysis(., mode="aggressive").final_dom.links,
237 strings.icontains(.href_url.query_params,
238 "utm_source=errorcode"
239 )
240 )
241 ) // a cookie warning mentioning Cloudflare
242 or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
243 "cookie.{0,50}Cloudflare"
244 )
245 or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in ("marketbeat.com")
246 )
247 )
248 and (
249 not profile.by_sender().solicited
250 or (
251 profile.by_sender().any_messages_malicious_or_spam
252 and not profile.by_sender().any_false_positives
253 )
254 )
255 // negate highly trusted sender domains unless they fail DMARC authentication
256 and (
257 (
258 sender.email.domain.root_domain in $high_trust_sender_root_domains
259 and not headers.auth_summary.dmarc.pass
260 )
261 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
262 )
263 and not profile.by_sender().any_false_positives
264
265tags:
266 - "Attack surface reduction"
267attack_types:
268 - "Credential Phishing"
269detection_methods:
270 - "Content analysis"
271 - "Header analysis"
272 - "URL analysis"
273 - "Sender analysis"
274id: "70ea21f9-2a88-5e33-81a2-4f3384080a04"