Suspicious message with unscannable Vercel link
This rule detects messages with unscannable links to Vercel infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Suspicious message with unscannable Vercel link"
2description: "This rule detects messages with unscannable links to Vercel infrastructure with suspicious indicators in the subject or display name from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // few links
9 0 < length(body.links) < 20
10 // fewer unique root domain links
11 and length(distinct(body.links, .href_url.domain.root_domain)) < 10
12 // sender domain matches no body domains
13 and all(body.links,
14 .href_url.domain.root_domain != sender.email.domain.root_domain
15 // sender email address in body looks like this
16 or .href_url.url == sender.email.domain.root_domain
17 )
18 )
19
20 // negate bouncebacks and undeliverables
21 and not any(attachments,
22 .content_type in (
23 "message/global-delivery-status",
24 "message/delivery-status"
25 )
26 )
27
28 // suspicious subject or display name
29 and (
30 regex.icontains(subject.subject,
31 "termination.*notice",
32 "38417",
33 ":completed",
34 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
35 "[il][il][il]egai[ -]",
36 "[li][li][li]ega[li] attempt",
37 "[ng]-?[io]n .*block",
38 "[ng]-?[io]n .*cancel",
39 "[ng]-?[io]n .*deactiv",
40 "[ng]-?[io]n .*disabl",
41 "action.*required",
42 "abandon.*package",
43 "about.your.account",
44 "acc(ou)?n?t (is )?on ho[li]d",
45 "acc(ou)?n?t.*terminat",
46 "acc(oun)?t.*[il1]{2}mitation",
47 "access.*limitation",
48 "account (will be )?block",
49 "account.*de-?activat",
50 "account.*locked",
51 "account.*re-verification",
52 "account.*security",
53 "account.*suspension",
54 "account.has.been",
55 "account.has.expired",
56 "account.will.be.blocked",
57 "account v[il]o[li]at",
58 "activity.*acc(oun)?t",
59 "almost.full",
60 "app[li]e.[il]d",
61 "authenticate.*account",
62 "been.*suspend",
63 "clos.*of.*account.*processed",
64 "confirm.your.account",
65 "courier.*able",
66 "crediential.*notif",
67 "deactivation.*in.*progress",
68 "delivery.*attempt.*failed",
69 "document.received",
70 "documented.*shared.*with.*you",
71 "dropbox.*document",
72 "e-?ma[il1]+ .{010}suspen",
73 "e-?ma[il1]{1} user",
74 "e-?ma[il1]{2} acc",
75 "e-?ma[il1]{2}.*up.?grade",
76 "e.?ma[il1]{2}.*server",
77 "e.?ma[il1]{2}.*suspend",
78 "email.update",
79 "faxed you",
80 "fraud(ulent)?.*charge",
81 "from.helpdesk",
82 "fu[il1]{2}.*ma[il1]+[ -]?box",
83 "has.been.*suspended",
84 "has.been.limited",
85 "have.locked",
86 "he[li]p ?desk upgrade",
87 "heipdesk",
88 "i[il]iega[il]",
89 "ii[il]ega[il]",
90 "incoming e?mail",
91 "incoming.*fax",
92 "lock.*security",
93 "ma[il1]{1}[ -]?box.*quo",
94 "ma[il1]{2}[ -]?box.*fu[il1]",
95 "ma[il1]{2}box.*[il1]{2}mit",
96 "ma[il1]{2}box stor",
97 "mail on.?hold",
98 "mail.*box.*migration",
99 "mail.*de-?activat",
100 "mail.update.required",
101 "mails.*pending",
102 "messages.*pending",
103 "missed.*shipping.*notification",
104 "missed.shipment.notification",
105 "must.update.your.account",
106 "new [sl][io]g?[nig][ -]?in from",
107 "new voice ?-?mail",
108 "notifications.*pending",
109 "office.*3.*6.*5.*suspend",
110 "office365",
111 "on google docs with you",
112 "online doc",
113 "password.*compromised",
114 "periodic maintenance",
115 "potential(ly)? unauthorized",
116 "refund not approved",
117 "report",
118 "revised.*policy",
119 "scam",
120 "scanned.?invoice",
121 "secured?.update",
122 "security breach",
123 "securlty",
124 "signed.*delivery",
125 "statement is ready",
126 "status of your .{314}? ?delivery",
127 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
128 "suspicious.*sign.*[io]n",
129 "suspicious.activit",
130 "temporar(il)?y deactivate",
131 "temporar[il1]{2}y disab[li]ed",
132 "temporarily.*lock",
133 "un-?usua[li].activity",
134 "unable.*deliver",
135 "unauthorized.*activit",
136 "unauthorized.device",
137 "undelivered message",
138 "unread.*doc",
139 "unusual.activity",
140 "upgrade.*account",
141 "upgrade.notice",
142 "urgent message",
143 "urgent.verification",
144 "v[il1]o[li1]at[il1]on security",
145 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
146 "verification ?-?require",
147 "verification( )?-?need",
148 "verify.your?.account",
149 "web ?-?ma[il1]{2}",
150 "web[ -]?ma[il1]{2}",
151 "will.be.suspended",
152 "your (customer )?account .as",
153 "your.office.365",
154 "your.online.access"
155 )
156 or any($suspicious_subjects, strings.icontains(subject.subject, .))
157 or regex.icontains(sender.display_name,
158 "Admin",
159 "Administrator",
160 "Alert",
161 "Assistant",
162 "Billing",
163 "Benefits",
164 "Bonus",
165 "CEO",
166 "CFO",
167 "CIO",
168 "CTO",
169 "Chairman",
170 "Claim",
171 "Confirm",
172 "Critical",
173 "Customer Service",
174 "Deal",
175 "Discount",
176 "Director",
177 "Exclusive",
178 "Executive",
179 "Fax",
180 "Free",
181 "Gift",
182 "/bHR/b",
183 "Helpdesk",
184 "Human Resources",
185 "Immediate",
186 "Important",
187 "Info",
188 "Information",
189 "Invoice",
190 '\bIT\b',
191 "Legal",
192 "Lottery",
193 "Management",
194 "Manager",
195 "Member Services",
196 "Notification",
197 "Offer",
198 "Operations",
199 "Order",
200 "Partner",
201 "Payment",
202 "Payroll",
203 "President",
204 "Premium",
205 "Prize",
206 "Receipt",
207 "Refund",
208 "Registrar",
209 "Required",
210 "Reward",
211 "Sales",
212 "Secretary",
213 "Security",
214 "Service",
215 "Signature",
216 "SSA",
217 "Storage",
218 "Support",
219 "Sweepstakes",
220 "System",
221 "Tax",
222 "Tech Support",
223 "Update",
224 "Upgrade",
225 "Urgent",
226 "Validate",
227 "Verify",
228 "VIP",
229 "Webmaster",
230 "Winner",
231 )
232 or any(body.links,
233 strings.ends_with(.href_url.url, ".exe")
234 or .href_url.domain.root_domain in $social_landing_hosts
235 or .href_url.domain.domain in $free_subdomain_hosts
236 or .href_url.domain.root_domain in $free_subdomain_hosts
237 )
238 )
239
240 // link can't be scanned due to Vercel block page
241 and any(body.links,
242 strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
243 "Vercel Security Checkpoint"
244 )
245 or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
246 'https://vercel.link/security-checkpoint'
247 )
248 )
249 and (
250 not profile.by_sender_email().solicited
251 or (
252 profile.by_sender().any_messages_malicious_or_spam
253 and not profile.by_sender().any_false_positives
254 )
255 )
256 // negate highly trusted sender domains unless they fail DMARC authentication
257 and (
258 (
259 sender.email.domain.root_domain in $high_trust_sender_root_domains
260 and not headers.auth_summary.dmarc.pass
261 )
262 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
263 )
264 and not profile.by_sender().any_false_positives
265
266tags:
267 - "Attack surface reduction"
268attack_types:
269 - "Credential Phishing"
270tactics_and_techniques:
271 - "Evasion"
272detection_methods:
273 - "Content analysis"
274 - "Header analysis"
275 - "Sender analysis"
276 - "URL analysis"
277id: "b5acffe7-e037-5d7d-9a07-c08f03e021e4"