Attachment: PDF with multistage landing - ClickUp abuse

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Evasion, Free file host, Free subdomain host, PDF, Social engineering

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and length(attachments) == 1
and any(attachments,
        .file_type == "pdf"
        and any(file.explode(.),
                .depth == 0
                and length(.scan.url.urls) == 1
                and any(.scan.url.urls,
                        .domain.domain == "doc.clickup.com"
                        and (
                          // landing page has been removed
                          strings.istarts_with(ml.link_analysis(.).final_dom.display_text,
                                               'This page is currently unavailable'
                          )
                          // inspection of links within the doc.clickup.com
                          or any(filter(ml.link_analysis(.).final_dom.links,
                                        .href_url.domain.root_domain != 'clickup.com'
                                        and .href_url.domain.root_domain not in $org_domains
                                 ),
                                 (
                                   // any of those links domains are new
                                   network.whois(.href_url.domain).days_old < 30
                                   // go to free file hosts
                                   or .href_url.domain.root_domain in $free_file_hosts
                                   or .href_url.domain.domain in $free_file_hosts

                                   // go to free subdomains hosts
                                   or (
                                     .href_url.domain.root_domain in $free_subdomain_hosts
                                     // where there is a subdomain
                                     and .href_url.domain.subdomain is not null
                                     and .href_url.domain.subdomain != "www"
                                   )
                                   // go to url shortners
                                   or .href_url.domain.root_domain in $url_shorteners
                                   or .href_url.domain.root_domain in $social_landing_hosts
                                   or .href_url.domain.domain in $url_shorteners
                                   or .href_url.domain.domain in $social_landing_hosts
                                   // or the page has been taken down
                                   or (
                                     // find any links that mention common "action" words
                                     regex.icontains(.display_text,
                                                     '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                                     )
                                     and (
                                       // and when visiting those links, are phishing
                                       ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"

                                       // hit a captcha page
                                       or ml.link_analysis(., mode="aggressive").credphish.contains_captcha

                                       // or the page redirects to common website, observed when evasion happens
                                       or (
                                         length(ml.link_analysis(.,
                                                                 mode="aggressive"
                                                ).redirect_history
                                         ) > 0
                                         and ml.link_analysis(.,
                                                              mode="aggressive"
                                         ).effective_url.domain.root_domain in $tranco_10k
                                       )
                                     )
                                   )
                                 )
                          )
                        )
                )
        )
)

Detection logic

Scope: inbound message.

inbound message
length(attachments) is 1
any of attachments where all hold:
- .file_type is 'pdf'
- any of file.explode(.) where all hold:
  - .depth is 0
  - length(.scan.url.urls) is 1
  - any of .scan.url.urls where all hold:
    
    .domain.domain is 'doc.clickup.com'
    any of:
    
    ml.link_analysis(.).final_dom.display_text starts with 'This page is currently unavailable'
    any of filter(...) where any holds:
    
    network.whois(.href_url.domain).days_old < 30
    .href_url.domain.root_domain in $free_file_hosts
    .href_url.domain.domain in $free_file_hosts
    all of:
    
    .href_url.domain.root_domain in $free_subdomain_hosts
    .href_url.domain.subdomain is set
    .href_url.domain.subdomain is not 'www'
    .href_url.domain.root_domain in $url_shorteners
    .href_url.domain.root_domain in $social_landing_hosts
    .href_url.domain.domain in $url_shorteners
    .href_url.domain.domain in $social_landing_hosts
    all of:
    
    .display_text matches '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
    any of:
    
    ml.link_analysis(.).credphish.disposition is 'phishing'
    ml.link_analysis(.).credphish.contains_captcha
    all of:
    
    length(ml.link_analysis(., mode='aggressive').redirect_history) > 0
    ml.link_analysis(.).effective_url.domain.root_domain in $tranco_10k

Inspects: attachments[].file_type, type.inbound. Sensors: file.explode, ml.link_analysis, network.whois, regex.icontains, strings.istarts_with. Reference lists: $free_file_hosts, $free_subdomain_hosts, $org_domains, $social_landing_hosts, $tranco_10k, $url_shorteners.

Indicators matched (4)

Field	Match	Value
`attachments[].file_type`	equals	`pdf`
`file.explode(attachments[])[].scan.url.urls[].domain.domain`	equals	`doc.clickup.com`
`strings.istarts_with`	prefix	`This page is currently unavailable`
`regex.icontains`	regex	`(?:view\|click\|show\|access\|download\|goto\|Validate\|Va[il]idar\|login\|verify\|account)`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)