Suspicious message with unscannable Cloudflare link

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Sublime rule (View on GitHub)

  1name: "Suspicious message with unscannable Cloudflare link"
  2description: "This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and ( // sender domain matches no body domains
  8    0 < length(body.links) < 10
  9    and all(body.links,
 10            .href_url.domain.root_domain != sender.email.domain.root_domain
 11    )
 12  )
 13  
 14  // negate bouncebacks and undeliverables
 15  and not any(attachments,
 16              .content_type in (
 17                "message/global-delivery-status",
 18                "message/delivery-status"
 19              )
 20  )
 21  
 22  // suspicious subject or display name
 23  and (
 24    regex.icontains(subject.subject,
 25                    "termination.*notice",
 26                    "38417",
 27                    ":completed",
 28                    "[il1]{2}mit.*ma[il1]{2} ?bo?x",
 29                    "[il][il][il]egai[ -]",
 30                    "[li][li][li]ega[li] attempt",
 31                    "[ng]-?[io]n .*block",
 32                    "[ng]-?[io]n .*cancel",
 33                    "[ng]-?[io]n .*deactiv",
 34                    "[ng]-?[io]n .*disabl",
 35                    "action.*required",
 36                    "abandon.*package",
 37                    "about.your.account",
 38                    "acc(ou)?n?t (is )?on ho[li]d",
 39                    "acc(ou)?n?t.*terminat",
 40                    "acc(oun)?t.*[il1]{2}mitation",
 41                    "access.*limitation",
 42                    "account (will be )?block",
 43                    "account.*de-?activat",
 44                    "account.*locked",
 45                    "account.*re-verification",
 46                    "account.*security",
 47                    "account.*suspension",
 48                    "account.has.been",
 49                    "account.has.expired",
 50                    "account.will.be.blocked",
 51                    "account v[il]o[li]at",
 52                    "activity.*acc(oun)?t",
 53                    "almost.full",
 54                    "app[li]e.[il]d",
 55                    "authenticate.*account",
 56                    "been.*suspend",
 57                    "clos.*of.*account.*processed",
 58                    "confirm.your.account",
 59                    "courier.*able",
 60                    "deactivation.*in.*progress",
 61                    "delivery.*attempt.*failed",
 62                    "document.received",
 63                    "documented.*shared.*with.*you",
 64                    "dropbox.*document",
 65                    "e-?ma[il1]+ .{010}suspen",
 66                    "e-?ma[il1]{1} user",
 67                    "e-?ma[il1]{2} acc",
 68                    "e-?ma[il1]{2}.*up.?grade",
 69                    "e.?ma[il1]{2}.*server",
 70                    "e.?ma[il1]{2}.*suspend",
 71                    "email.update",
 72                    "faxed you",
 73                    "fraud(ulent)?.*charge",
 74                    "from.helpdesk",
 75                    "fu[il1]{2}.*ma[il1]+[ -]?box",
 76                    "has.been.*suspended",
 77                    "has.been.limited",
 78                    "have.locked",
 79                    "he[li]p ?desk upgrade",
 80                    "heipdesk",
 81                    "i[il]iega[il]",
 82                    "ii[il]ega[il]",
 83                    "incoming e?mail",
 84                    "incoming.*fax",
 85                    "lock.*security",
 86                    "ma[il1]{1}[ -]?box.*quo",
 87                    "ma[il1]{2}[ -]?box.*fu[il1]",
 88                    "ma[il1]{2}box.*[il1]{2}mit",
 89                    "ma[il1]{2}box stor",
 90                    "mail on.?hold",
 91                    "mail.*box.*migration",
 92                    "mail.*de-?activat",
 93                    "mail.update.required",
 94                    "mails.*pending",
 95                    "messages.*pending",
 96                    "missed.*shipping.*notification",
 97                    "missed.shipment.notification",
 98                    "must.update.your.account",
 99                    "new [sl][io]g?[nig][ -]?in from",
100                    "new voice ?-?mail",
101                    "notifications.*pending",
102                    "office.*3.*6.*5.*suspend",
103                    "office365",
104                    "on google docs with you",
105                    "online doc",
106                    "password.*compromised",
107                    "periodic maintenance",
108                    "potential(ly)? unauthorized",
109                    "refund not approved",
110                    "report",
111                    "revised.*policy",
112                    "scam",
113                    "scanned.?invoice",
114                    "secured?.update",
115                    "security breach",
116                    "securlty",
117                    "signed.*delivery",
118                    "status of your .{314}? ?delivery",
119                    "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
120                    "suspicious.*sign.*[io]n",
121                    "suspicious.activit",
122                    "temporar(il)?y deactivate",
123                    "temporar[il1]{2}y disab[li]ed",
124                    "temporarily.*lock",
125                    "un-?usua[li].activity",
126                    "unable.*deliver",
127                    "unauthorized.*activit",
128                    "unauthorized.device",
129                    "undelivered message",
130                    "unread.*doc",
131                    "unusual.activity",
132                    "upgrade.*account",
133                    "upgrade.notice",
134                    "urgent message",
135                    "urgent.verification",
136                    "v[il1]o[li1]at[il1]on security",
137                    "va[il1]{1}date.*ma[il1]{2}[ -]?box",
138                    "verification ?-?require",
139                    "verification( )?-?need",
140                    "verify.your?.account",
141                    "web ?-?ma[il1]{2}",
142                    "web[ -]?ma[il1]{2}",
143                    "will.be.suspended",
144                    "your (customer )?account .as",
145                    "your.office.365",
146                    "your.online.access"
147    )
148    or any($suspicious_subjects, strings.icontains(subject.subject, .))
149    or regex.icontains(sender.display_name,
150                       "Admin",
151                       "Administrator",
152                       "Alert",
153                       "Assistant",
154                       "Billing",
155                       "Benefits",
156                       "Bonus",
157                       "CEO",
158                       "CFO",
159                       "CIO",
160                       "CTO",
161                       "Chairman",
162                       "Claim",
163                       "Confirm",
164                       "Critical",
165                       "Customer Service",
166                       "Deal",
167                       "Discount",
168                       "Director",
169                       "Exclusive",
170                       "Executive",
171                       "Fax",
172                       "Free",
173                       "Gift",
174                       "/bHR/b",
175                       "Helpdesk",
176                       "Human Resources",
177                       "Immediate",
178                       "Important",
179                       "Info",
180                       "Information",
181                       "Invoice",
182                       '\bIT\b',
183                       "Legal",
184                       "Lottery",
185                       "Management",
186                       "Manager",
187                       "Member Services",
188                       "Notification",
189                       "Offer",
190                       "Operations",
191                       "Order",
192                       "Partner",
193                       "Payment",
194                       "Payroll",
195                       "President",
196                       "Premium",
197                       "Prize",
198                       "Receipt",
199                       "Refund",
200                       "Registrar",
201                       "Required",
202                       "Reward",
203                       "Sales",
204                       "Secretary",
205                       "Security",
206                       "Service",
207                       "Signature",
208                       "Storage",
209                       "Support",
210                       "Sweepstakes",
211                       "System",
212                       "Tax",
213                       "Tech Support",
214                       "Update",
215                       "Upgrade",
216                       "Urgent",
217                       "Validate",
218                       "Verify",
219                       "VIP",
220                       "Webmaster",
221                       "Winner",
222    )
223  )
224  
225  // link can't be scanned due to Cloudflare captcha
226  and any(body.links,
227          regex.icontains(beta.linkanalysis(., mode="aggressive").final_dom.display_text,
228                          "cloudflare"
229          )
230          and not (
231            ( // a Cloudflare error page
232              strings.ilike(beta.linkanalysis(., mode="aggressive").final_dom.display_text,
233                            "*error code*"
234              )
235              and any(beta.linkanalysis(., mode="aggressive").final_dom.links,
236                      strings.icontains(.href_url.query_params,
237                                        "utm_source=errorcode"
238                      )
239              )
240            ) // a cookie warning mentioning Cloudflare
241            or regex.icontains(beta.linkanalysis(., mode="aggressive").final_dom.display_text,
242                               "cookie.{0,50}Cloudflare"
243            )
244            or beta.linkanalysis(., mode="aggressive").effective_url.domain.root_domain in ("marketbeat.com")
245          )
246  )
247  and (
248    not profile.by_sender().solicited
249    or (
250      profile.by_sender().any_messages_malicious_or_spam
251      and not profile.by_sender().any_false_positives
252    )
253  )
254  // negate highly trusted sender domains unless they fail DMARC authentication
255  and (
256    (
257      sender.email.domain.root_domain in $high_trust_sender_root_domains
258      and (
259        any(distinct(headers.hops, .authentication_results.dmarc is not null),
260            strings.ilike(.authentication_results.dmarc, "*fail")
261        )
262      )
263    )
264    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
265  )
266  and not profile.by_sender().any_false_positives
267
268    
269attack_types:
270  - "Credential Phishing"
271detection_methods:
272  - "Content analysis"
273  - "Header analysis"
274  - "URL analysis"
275  - "Sender analysis"
276id: "70ea21f9-2a88-5e33-81a2-4f3384080a04"
to-top