Service abuse: Monday.com infrastructure with phishing intent

calendar Dec 18, 2025  ·
Share on: linkedin copy

Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC.

Sublime rule (View on GitHub)

  1name: "Service abuse: Monday.com infrastructure with phishing intent"
  2description: "Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(body.links) < 15
 10      and any(body.links,
 11              'monday_tracker' in .href_url.rewrite.encoders
 12              and .href_url.scheme != "mailto"
 13      )
 14    )
 15    or (
 16      length(attachments) <= 3
 17      and (
 18        any(attachments,
 19            (.file_type in $file_types_images or .file_type == "pdf")
 20            //
 21            // This rule makes use of a beta feature and is subject to change without notice
 22            // using the beta feature in custom rules is not suggested until it has been formally released
 23            //
 24            and any(beta.scan_qr(.).items,
 25                    .type is not null
 26                    and 'monday_tracker' in .url.rewrite.encoders
 27                    and .url.scheme != "mailto"
 28            )
 29            //
 30            // This rule makes use of a beta feature and is subject to change without notice
 31            // using the beta feature in custom rules is not suggested until it has been formally released
 32            //
 33            // exclude images taken with mobile cameras and screenshots from android
 34            and not any(beta.parse_exif(.).fields,
 35                        .key == "Model"
 36                        or (
 37                          .key == "Software"
 38                          and strings.starts_with(.value, "Android")
 39                        )
 40            )
 41            // exclude images taken with mobile cameras and screenshots from Apple
 42            and not any(beta.parse_exif(.).fields,
 43                        .key == "DeviceManufacturer"
 44                        and .value == "Apple Computer Inc."
 45            )
 46        )
 47      )
 48    )
 49    or (
 50      length(attachments) == 0
 51      and (
 52        //
 53        // This rule makes use of a beta feature and is subject to change without notice
 54        // using the beta feature in custom rules is not suggested until it has been formally released
 55        //
 56        beta.parse_exif(file.message_screenshot()).image_height < 2000
 57        and beta.parse_exif(file.message_screenshot()).image_width < 2000
 58        and beta.scan_qr(file.message_screenshot()).found
 59        and any(beta.scan_qr(file.message_screenshot()).items,
 60                .type is not null
 61                and 'monday_tracker' in .url.rewrite.encoders
 62                and .url.scheme != "mailto"
 63        )
 64      )
 65    )
 66    or (
 67      length(attachments) <= 3
 68      and (
 69        any(attachments,
 70            (
 71              .file_type in ("pdf")
 72              or .file_extension in ("pdf", "eml")
 73              or .file_extension in $file_extensions_macros
 74              or .content_type in ("message/rfc822")
 75            )
 76            and any(file.explode(.),
 77                    any(.scan.url.urls, 'monday_tracker' in .rewrite.encoders)
 78            )
 79        )
 80      )
 81    )
 82  )
 83  and not any(headers.domains, strings.ends_with(.domain, "mail.monday.com"))
 84  and not (
 85      headers.auth_summary.dmarc.details.from.root_domain == "monday.com"
 86      and headers.auth_summary.spf.pass
 87      and headers.auth_summary.dmarc.pass
 88  )
 89  and any(ml.nlu_classifier(body.current_thread.text).intents,
 90          .name != "benign" and .confidence in ("medium", "high")
 91  )
 92  // negating legit replies
 93  and not (
 94    (subject.is_reply or subject.is_forward)
 95    and (
 96      length(headers.references) > 0
 97      and headers.in_reply_to is not null
 98    )
 99  )
100  // negate graymail and newsletters
101  and not (
102    any(ml.nlu_classifier(body.current_thread.text).topics,
103        .name in~ (
104          "Advertising and Promotions",
105          "B2B Cold Outreach",
106          "Newsletters and Digests",
107          "Events and Webinars"
108        )
109        and .confidence != "low"
110    )
111  )
112  
113  // negate highly trusted sender domains unless they fail DMARC authentication
114  and (
115    (
116      (
117        (
118          sender.email.domain.root_domain in $high_trust_sender_root_domains
119          and not headers.auth_summary.dmarc.pass
120        )
121        or sender.email.domain.root_domain not in $high_trust_sender_root_domains
122      )
123      and profile.by_sender().prevalence in ("new", "outlier", "rare")
124    )
125    // salesforce has been abused to send phishing campaigns leveraging monday.com infrastructure abuse 
126    or sender.email.domain.root_domain == "salesforce.com"
127  )  
128attack_types:
129  - "Credential Phishing"
130tactics_and_techniques:
131  - "Evasion"
132  - "Social engineering"
133  - "QR code"
134detection_methods:
135  - "Content analysis"
136  - "File analysis"
137  - "Header analysis"
138  - "QR code analysis"
139  - "Sender analysis"
140  - "URL analysis"
141id: "a346e3b1-603e-5ef0-8547-d40ba4282352"
to-top