Link: Observed URL pattern with specific domain registrar

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects messages using Element Email service infrastructure, identified by characteristic URL patterns with /f/ paths, unsubscribe links, single domain usage, and Cloudflare domain registration. This pattern indicates potential abuse of legitimate email marketing services.

Sublime rule (View on GitHub)

 1name: "Link: Observed URL pattern with specific domain registrar"
 2description: "Detects messages using Element Email service infrastructure, identified by characteristic URL patterns with /f/ paths, unsubscribe links, single domain usage, and Cloudflare domain registration. This pattern indicates potential abuse of legitimate email marketing services."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // Signs of Email Element use
 8  // all links are the same domain
 9  and length(distinct(body.current_thread.links, .href_url.domain.root_domain)) == 1
10  // all links contain the /f/
11  and all(body.current_thread.links,
12          regex.icontains(.href_url.path, '^/(?:unsubscribe/)?f/')
13  )
14  // there is an unsub link
15  and length(filter(body.current_thread.links,
16                    strings.icontains(.href_url.path, '/unsubscribe/f/')
17             )
18  ) == 1
19  // this actor uses CF for domain management
20  and network.whois(sender.email.domain).registrar_name == "Cloudflare, Inc."  
21attack_types:
22  - "Spam"
23tactics_and_techniques:
24  - "Free email provider"
25detection_methods:
26  - "URL analysis"
27  - "Sender analysis"
28  - "Whois"
29id: "82ee7653-deb3-533a-941a-59d047be9b5c"
to-top