Suspicious message with unscannable Cloudflare link
This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Suspicious message with unscannable Cloudflare link"
2description: "This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and ( // sender domain matches no body domains
8 0 < length(body.links) < 10
9 and all(body.links,
10 .href_url.domain.root_domain != sender.email.domain.root_domain
11 )
12 )
13
14 // negate bouncebacks and undeliverables
15 and not any(attachments,
16 .content_type in (
17 "message/global-delivery-status",
18 "message/delivery-status"
19 )
20 )
21
22 // suspicious subject or display name
23 and (
24 regex.icontains(subject.subject,
25 "termination.*notice",
26 "38417",
27 ":completed",
28 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
29 "[il][il][il]egai[ -]",
30 "[li][li][li]ega[li] attempt",
31 "[ng]-?[io]n .*block",
32 "[ng]-?[io]n .*cancel",
33 "[ng]-?[io]n .*deactiv",
34 "[ng]-?[io]n .*disabl",
35 "action.*required",
36 "abandon.*package",
37 "about.your.account",
38 "acc(ou)?n?t (is )?on ho[li]d",
39 "acc(ou)?n?t.*terminat",
40 "acc(oun)?t.*[il1]{2}mitation",
41 "access.*limitation",
42 "account (will be )?block",
43 "account.*de-?activat",
44 "account.*locked",
45 "account.*re-verification",
46 "account.*security",
47 "account.*suspension",
48 "account.has.been",
49 "account.has.expired",
50 "account.will.be.blocked",
51 "account v[il]o[li]at",
52 "activity.*acc(oun)?t",
53 "almost.full",
54 "app[li]e.[il]d",
55 "authenticate.*account",
56 "been.*suspend",
57 "clos.*of.*account.*processed",
58 "confirm.your.account",
59 "courier.*able",
60 "deactivation.*in.*progress",
61 "delivery.*attempt.*failed",
62 "document.received",
63 "documented.*shared.*with.*you",
64 "dropbox.*document",
65 "e-?ma[il1]+ .{010}suspen",
66 "e-?ma[il1]{1} user",
67 "e-?ma[il1]{2} acc",
68 "e-?ma[il1]{2}.*up.?grade",
69 "e.?ma[il1]{2}.*server",
70 "e.?ma[il1]{2}.*suspend",
71 "email.update",
72 "faxed you",
73 "fraud(ulent)?.*charge",
74 "from.helpdesk",
75 "fu[il1]{2}.*ma[il1]+[ -]?box",
76 "has.been.*suspended",
77 "has.been.limited",
78 "have.locked",
79 "he[li]p ?desk upgrade",
80 "heipdesk",
81 "i[il]iega[il]",
82 "ii[il]ega[il]",
83 "incoming e?mail",
84 "incoming.*fax",
85 "lock.*security",
86 "ma[il1]{1}[ -]?box.*quo",
87 "ma[il1]{2}[ -]?box.*fu[il1]",
88 "ma[il1]{2}box.*[il1]{2}mit",
89 "ma[il1]{2}box stor",
90 "mail on.?hold",
91 "mail.*box.*migration",
92 "mail.*de-?activat",
93 "mail.update.required",
94 "mails.*pending",
95 "messages.*pending",
96 "missed.*shipping.*notification",
97 "missed.shipment.notification",
98 "must.update.your.account",
99 "new [sl][io]g?[nig][ -]?in from",
100 "new voice ?-?mail",
101 "notifications.*pending",
102 "office.*3.*6.*5.*suspend",
103 "office365",
104 "on google docs with you",
105 "online doc",
106 "password.*compromised",
107 "periodic maintenance",
108 "potential(ly)? unauthorized",
109 "refund not approved",
110 "report",
111 "revised.*policy",
112 "scam",
113 "scanned.?invoice",
114 "secured?.update",
115 "security breach",
116 "securlty",
117 "signed.*delivery",
118 "status of your .{314}? ?delivery",
119 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
120 "suspicious.*sign.*[io]n",
121 "suspicious.activit",
122 "temporar(il)?y deactivate",
123 "temporar[il1]{2}y disab[li]ed",
124 "temporarily.*lock",
125 "un-?usua[li].activity",
126 "unable.*deliver",
127 "unauthorized.*activit",
128 "unauthorized.device",
129 "undelivered message",
130 "unread.*doc",
131 "unusual.activity",
132 "upgrade.*account",
133 "upgrade.notice",
134 "urgent message",
135 "urgent.verification",
136 "v[il1]o[li1]at[il1]on security",
137 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
138 "verification ?-?require",
139 "verification( )?-?need",
140 "verify.your?.account",
141 "web ?-?ma[il1]{2}",
142 "web[ -]?ma[il1]{2}",
143 "will.be.suspended",
144 "your (customer )?account .as",
145 "your.office.365",
146 "your.online.access"
147 )
148 or any($suspicious_subjects, strings.icontains(subject.subject, .))
149 or regex.icontains(sender.display_name,
150 "Admin",
151 "Administrator",
152 "Alert",
153 "Assistant",
154 "Billing",
155 "Benefits",
156 "Bonus",
157 "CEO",
158 "CFO",
159 "CIO",
160 "CTO",
161 "Chairman",
162 "Claim",
163 "Confirm",
164 "Critical",
165 "Customer Service",
166 "Deal",
167 "Discount",
168 "Director",
169 "Exclusive",
170 "Executive",
171 "Fax",
172 "Free",
173 "Gift",
174 "/bHR/b",
175 "Helpdesk",
176 "Human Resources",
177 "Immediate",
178 "Important",
179 "Info",
180 "Information",
181 "Invoice",
182 '\bIT\b',
183 "Legal",
184 "Lottery",
185 "Management",
186 "Manager",
187 "Member Services",
188 "Notification",
189 "Offer",
190 "Operations",
191 "Order",
192 "Partner",
193 "Payment",
194 "Payroll",
195 "President",
196 "Premium",
197 "Prize",
198 "Receipt",
199 "Refund",
200 "Registrar",
201 "Required",
202 "Reward",
203 "Sales",
204 "Secretary",
205 "Security",
206 "Service",
207 "Signature",
208 "Storage",
209 "Support",
210 "Sweepstakes",
211 "System",
212 "Tax",
213 "Tech Support",
214 "Update",
215 "Upgrade",
216 "Urgent",
217 "Validate",
218 "Verify",
219 "VIP",
220 "Webmaster",
221 "Winner",
222 )
223 )
224
225 // link can't be scanned due to Cloudflare captcha
226 and any(body.links,
227 regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
228 "cloudflare"
229 )
230 and not (
231 ( // a Cloudflare error page
232 strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
233 "*error code*"
234 )
235 and any(ml.link_analysis(., mode="aggressive").final_dom.links,
236 strings.icontains(.href_url.query_params,
237 "utm_source=errorcode"
238 )
239 )
240 ) // a cookie warning mentioning Cloudflare
241 or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
242 "cookie.{0,50}Cloudflare"
243 )
244 or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in ("marketbeat.com")
245 )
246 )
247 and (
248 not profile.by_sender().solicited
249 or (
250 profile.by_sender().any_messages_malicious_or_spam
251 and not profile.by_sender().any_false_positives
252 )
253 )
254 // negate highly trusted sender domains unless they fail DMARC authentication
255 and (
256 (
257 sender.email.domain.root_domain in $high_trust_sender_root_domains
258 and not headers.auth_summary.dmarc.pass
259 )
260 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
261 )
262 and not profile.by_sender().any_false_positives
263
264
265attack_types:
266 - "Credential Phishing"
267detection_methods:
268 - "Content analysis"
269 - "Header analysis"
270 - "URL analysis"
271 - "Sender analysis"
272id: "70ea21f9-2a88-5e33-81a2-4f3384080a04"