Service abuse: Monday.com infrastructure with phishing intent

calendar Mar 9, 2026  ·
Share on: linkedin copy

Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC.

Sublime rule (View on GitHub)

  1name: "Service abuse: Monday.com infrastructure with phishing intent"
  2description: "Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(body.links) < 15
 10      and any(body.links,
 11              'monday_tracker' in .href_url.rewrite.encoders
 12              and .href_url.scheme != "mailto"
 13      )
 14    )
 15    or (
 16      length(attachments) <= 3
 17      and (
 18        any(attachments,
 19            (.file_type in $file_types_images or .file_type == "pdf")
 20            //
 21            // This rule makes use of a beta feature and is subject to change without notice
 22            // using the beta feature in custom rules is not suggested until it has been formally released
 23            //
 24            and any(beta.scan_qr(.).items,
 25                    .type is not null
 26                    and 'monday_tracker' in .url.rewrite.encoders
 27                    and .url.scheme != "mailto"
 28            )
 29            //
 30            // This rule makes use of a beta feature and is subject to change without notice
 31            // using the beta feature in custom rules is not suggested until it has been formally released
 32            //
 33            // exclude images taken with mobile cameras and screenshots from android
 34            and not any(beta.parse_exif(.).fields,
 35                        .key == "Model"
 36                        or (
 37                          .key == "Software"
 38                          and strings.starts_with(.value, "Android")
 39                        )
 40            )
 41            // exclude images taken with mobile cameras and screenshots from Apple
 42            and not any(beta.parse_exif(.).fields,
 43                        .key == "DeviceManufacturer"
 44                        and .value == "Apple Computer Inc."
 45            )
 46        )
 47      )
 48    )
 49    or (
 50      length(attachments) == 0
 51      and (
 52        //
 53        // This rule makes use of a beta feature and is subject to change without notice
 54        // using the beta feature in custom rules is not suggested until it has been formally released
 55        //
 56        beta.parse_exif(file.message_screenshot()).image_height < 2000
 57        and beta.parse_exif(file.message_screenshot()).image_width < 2000
 58        and beta.scan_qr(file.message_screenshot()).found
 59        and any(beta.scan_qr(file.message_screenshot()).items,
 60                .type is not null
 61                and 'monday_tracker' in .url.rewrite.encoders
 62                and .url.scheme != "mailto"
 63        )
 64      )
 65    )
 66    or (
 67      length(attachments) <= 3
 68      and (
 69        any(attachments,
 70            (
 71              .file_type in ("pdf")
 72              or .file_extension in ("pdf", "eml")
 73              or .file_extension in $file_extensions_macros
 74              or .content_type in ("message/rfc822")
 75            )
 76            and any(file.explode(.),
 77                    any(.scan.url.urls, 'monday_tracker' in .rewrite.encoders)
 78            )
 79        )
 80      )
 81    )
 82  )
 83  // negate messages that traverse monday.com infra
 84  and not (
 85    any(headers.domains, strings.ends_with(.domain, "mail.monday.com"))
 86    or (
 87      strings.iends_with(headers.message_id, '@monday-mail.com>')
 88      and any(headers.hops,
 89              any(.fields,
 90                  .name =~ "Content-Type"
 91                  and strings.iends_with(.value, 'mondaymailcom_"')
 92              )
 93      )
 94      and any(headers.hops, any(.fields, .name =~ "x-monday-crm"))
 95    )
 96  )
 97  and not (
 98    headers.auth_summary.dmarc.details.from.root_domain == "monday.com"
 99    and headers.auth_summary.spf.pass
100    and headers.auth_summary.dmarc.pass
101  )
102  and any(ml.nlu_classifier(body.current_thread.text).intents,
103          .name != "benign" and .confidence in ("medium", "high")
104  )
105  // negating legit replies
106  and not (
107    (subject.is_reply or subject.is_forward)
108    and (length(headers.references) > 0 and headers.in_reply_to is not null)
109  )
110  // negate graymail and newsletters
111  and not (
112    any(ml.nlu_classifier(body.current_thread.text).topics,
113        .name in~ (
114          "Advertising and Promotions",
115          "B2B Cold Outreach",
116          "Newsletters and Digests",
117          "Events and Webinars"
118        )
119        and .confidence != "low"
120    )
121  )
122  and (
123    // negate highly trusted sender domains unless they fail DMARC authentication
124    not (
125      sender.email.domain.root_domain in $high_trust_sender_root_domains
126      and coalesce(headers.auth_summary.dmarc.pass, false)
127    )
128    // salesforce has been abused to send phishing campaigns leveraging monday.com infrastructure abuse
129    or sender.email.domain.root_domain in ("salesforce.com")
130  )  
131attack_types:
132  - "Credential Phishing"
133tactics_and_techniques:
134  - "Evasion"
135  - "Social engineering"
136  - "QR code"
137detection_methods:
138  - "Content analysis"
139  - "File analysis"
140  - "Header analysis"
141  - "QR code analysis"
142  - "Sender analysis"
143  - "URL analysis"
144id: "a346e3b1-603e-5ef0-8547-d40ba4282352"
to-top