detection.wiki

Detection rules › Sublime MQL

Suspicious attachment with unscannable Cloudflare link

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, PDF, Social engineering, Impersonation: Employee, Impersonation: VIP

Event coverage

Message attribute
attachments (collection)
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound
and any(attachments,
        (
          .file_extension in $file_extensions_macros
          or .file_extension == "pdf"
          or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
          or .content_type in ("application/pdf")
        )
        and any(file.explode(.),
                // few links
                0 < length(.scan.url.urls) < 20
                // fewer unique root domain links
                and length(distinct(.scan.url.urls, .domain.root_domain)) < 10
                // sender domain matches no body domains
                and all(.scan.url.urls,
                        .domain.root_domain != sender.email.domain.root_domain
                )
        )
)

// negate bouncebacks and undeliverables
and not any(attachments,
            .content_type in (
              "message/global-delivery-status",
              "message/delivery-status"
            )
)

// suspicious subject or display name
and (
  regex.icontains(subject.subject,
                  "termination.*notice",
                  "38417",
                  ":completed",
                  "[il1]{2}mit.*ma[il1]{2} ?bo?x",
                  "[il][il][il]egai[ -]",
                  "[li][li][li]ega[li] attempt",
                  "[ng]-?[io]n .*block",
                  "[ng]-?[io]n .*cancel",
                  "[ng]-?[io]n .*deactiv",
                  "[ng]-?[io]n .*disabl",
                  "action.*required",
                  "abandon.*package",
                  "about.your.account",
                  "acc(ou)?n?t (is )?on ho[li]d",
                  "acc(ou)?n?t.*terminat",
                  "acc(oun)?t.*[il1]{2}mitation",
                  "access.*limitation",
                  "account (will be )?block",
                  "account.*de-?activat",
                  "account.*locked",
                  "account.*re-verification",
                  "account.*security",
                  "account.*suspension",
                  "account.has.been",
                  "account.has.expired",
                  "account.will.be.blocked",
                  "account v[il]o[li]at",
                  "activity.*acc(oun)?t",
                  "almost.full",
                  "app[li]e.[il]d",
                  "authenticate.*account",
                  "been.*suspend",
                  "clos.*of.*account.*processed",
                  "confirm.your.account",
                  "courier.*able",
                  "crediential.*notif",
                  "deactivation.*in.*progress",
                  "delivery.*attempt.*failed",
                  "document.received",
                  "documented.*shared.*with.*you",
                  "dropbox.*document",
                  "e-?ma[il1]+ .{010}suspen",
                  "e-?ma[il1]{1} user",
                  "e-?ma[il1]{2} acc",
                  "e-?ma[il1]{2}.*up.?grade",
                  "e.?ma[il1]{2}.*server",
                  "e.?ma[il1]{2}.*suspend",
                  "email.update",
                  "faxed you",
                  "fraud(ulent)?.*charge",
                  "from.helpdesk",
                  "fu[il1]{2}.*ma[il1]+[ -]?box",
                  "has.been.*suspended",
                  "has.been.limited",
                  "have.locked",
                  "he[li]p ?desk upgrade",
                  "heipdesk",
                  "i[il]iega[il]",
                  "ii[il]ega[il]",
                  "incoming e?mail",
                  "incoming.*fax",
                  "lock.*security",
                  "ma[il1]{1}[ -]?box.*quo",
                  "ma[il1]{2}[ -]?box.*fu[il1]",
                  "ma[il1]{2}box.*[il1]{2}mit",
                  "ma[il1]{2}box stor",
                  "mail on.?hold",
                  "mail.*box.*migration",
                  "mail.*de-?activat",
                  "mail.update.required",
                  "mails.*pending",
                  "messages.*pending",
                  "missed.*shipping.*notification",
                  "missed.shipment.notification",
                  "must.update.your.account",
                  "new [sl][io]g?[nig][ -]?in from",
                  "new voice ?-?mail",
                  "notifications.*pending",
                  "office.*3.*6.*5.*suspend",
                  "office365",
                  "on google docs with you",
                  "online doc",
                  "password.*compromised",
                  "periodic maintenance",
                  "potential(ly)? unauthorized",
                  "refund not approved",
                  "report",
                  "revised.*policy",
                  "scam",
                  "scanned.?invoice",
                  "secured?.update",
                  "security breach",
                  "securlty",
                  "signed.*delivery",
                  "statement is ready",
                  "status of your .{314}? ?delivery",
                  "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
                  "suspicious.*sign.*[io]n",
                  "suspicious.activit",
                  "temporar(il)?y deactivate",
                  "temporar[il1]{2}y disab[li]ed",
                  "temporarily.*lock",
                  "un-?usua[li].activity",
                  "unable.*deliver",
                  "unauthorized.*activit",
                  "unauthorized.device",
                  "undelivered message",
                  "unread.*doc",
                  "unusual.activity",
                  "upgrade.*account",
                  "upgrade.notice",
                  "urgent message",
                  "urgent.verification",
                  "v[il1]o[li1]at[il1]on security",
                  "va[il1]{1}date.*ma[il1]{2}[ -]?box",
                  "verification ?-?require",
                  "verification( )?-?need",
                  "verify.your?.account",
                  "web ?-?ma[il1]{2}",
                  "web[ -]?ma[il1]{2}",
                  "will.be.suspended",
                  "your (customer )?account .as",
                  "your.office.365",
                  "your.online.access"
  )
  or any($suspicious_subjects, strings.icontains(subject.subject, .))
  or regex.icontains(sender.display_name,
                     "Admin",
                     "Administrator",
                     "Alert",
                     "Assistant",
                     "Billing",
                     "Benefits",
                     "Bonus",
                     "CEO",
                     "CFO",
                     "CIO",
                     "CTO",
                     "Chairman",
                     "Claim",
                     "Confirm",
                     "Critical",
                     "Customer Service",
                     "Deal",
                     "Discount",
                     "Director",
                     "Exclusive",
                     "Executive",
                     "Fax",
                     "Free",
                     "Gift",
                     "/bHR/b",
                     "Helpdesk",
                     "Human Resources",
                     "Immediate",
                     "Important",
                     "Info",
                     "Information",
                     "Invoice",
                     '\bIT\b',
                     "Legal",
                     "Lottery",
                     "Management",
                     "Manager",
                     "Member Services",
                     "Notification",
                     "Offer",
                     "Operations",
                     "Order",
                     "Partner",
                     "Payment",
                     "Payroll",
                     "President",
                     "Premium",
                     "Prize",
                     "Receipt",
                     "Refund",
                     "Registrar",
                     "Required",
                     "Reward",
                     "Sales",
                     "Secretary",
                     "Security",
                     "Service",
                     "Signature",
                     'SSA?\.gov',
                     "Storage",
                     "Support",
                     "Sweepstakes",
                     "System",
                     "Tax",
                     "Tech Support",
                     "Update",
                     "Upgrade",
                     "Urgent",
                     "Validate",
                     "Verify",
                     "VIP",
                     "Webmaster",
                     "Winner",
  )
  or any(attachments,
         (
           .file_extension in $file_extensions_macros
           or .file_extension == "pdf"
           or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
           or .content_type in ("application/pdf")
         )
         and any(file.explode(.),
                 any(.scan.url.urls, strings.ends_with(.url, ".exe"))
                 or any(ml.nlu_classifier(.scan.ocr.raw).intents,
                        .name == "cred_theft"
                 )
         )
  )
)
and any(attachments,
        (
          .file_extension in $file_extensions_macros
          or .file_extension == "pdf"
          or .file_type in ("pdf", "doc", "docx", "xls", "xlsx")
          or .content_type in ("application/pdf")
        )
        and any(file.explode(.),
                any(.scan.url.urls,
                    (
                      strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                                        "cloudflare"
                      )
                      // includes the turnstile CAPTCHA
                      or (
                        strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                                          'https://challenges.cloudflare.com/turnstile/'
                        )
                        // has a short body length indicating the page is gated behind the turnstile instead
                        // of just including the turnstile
                        and length((
                                     ml.link_analysis(., mode="aggressive").final_dom.display_text
                                   )
                        ) < 200
                      )
                    )
                    and not (
                      ( // a Cloudflare error page
                        strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                                      "*error code*"
                        )
                        and any(ml.link_analysis(., mode="aggressive").final_dom.links,
                                strings.icontains(.href_url.query_params,
                                                  "utm_source=errorcode"
                                )
                        )
                      ) // a cookie warning mentioning Cloudflare
                      or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                                         "cookie.{0,50}Cloudflare"
                      )
                      or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
                        "marketbeat.com"
                      )
                    )
                )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension in $file_extensions_macros
      • .file_extension is 'pdf'
      • .file_type in ('pdf', 'doc', 'docx', 'xls', 'xlsx')
      • .content_type in ('application/pdf')
    • any of file.explode(.) where all hold:
      • all of:
        • length(.scan.url.urls) > 0
        • length(.scan.url.urls) < 20
      • length(distinct(.scan.url.urls, .domain.root_domain)) < 10
      • all of .scan.url.urls where:
        • .domain.root_domain is not sender.email.domain.root_domain
  3. not:
    • any of attachments where:
      • .content_type in ('message/global-delivery-status', 'message/delivery-status')
  4. any of:
    • subject.subject matches any of 124 patterns
      • termination.*notice
      • 38417
      • :completed
      • [il1]{2}mit.*ma[il1]{2} ?bo?x
      • [il][il][il]egai[ -]
      • [li][li][li]ega[li] attempt
      • [ng]-?[io]n .*block
      • [ng]-?[io]n .*cancel
      • [ng]-?[io]n .*deactiv
      • [ng]-?[io]n .*disabl
      • action.*required
      • abandon.*package
      • about.your.account
      • acc(ou)?n?t (is )?on ho[li]d
      • acc(ou)?n?t.*terminat
      • acc(oun)?t.*[il1]{2}mitation
      • access.*limitation
      • account (will be )?block
      • account.*de-?activat
      • account.*locked
      • account.*re-verification
      • account.*security
      • account.*suspension
      • account.has.been
      • account.has.expired
      • account.will.be.blocked
      • account v[il]o[li]at
      • activity.*acc(oun)?t
      • almost.full
      • app[li]e.[il]d
      • authenticate.*account
      • been.*suspend
      • clos.*of.*account.*processed
      • confirm.your.account
      • courier.*able
      • crediential.*notif
      • deactivation.*in.*progress
      • delivery.*attempt.*failed
      • document.received
      • documented.*shared.*with.*you
      • dropbox.*document
      • e-?ma[il1]+ .{010}suspen
      • e-?ma[il1]{1} user
      • e-?ma[il1]{2} acc
      • e-?ma[il1]{2}.*up.?grade
      • e.?ma[il1]{2}.*server
      • e.?ma[il1]{2}.*suspend
      • email.update
      • faxed you
      • fraud(ulent)?.*charge
      • from.helpdesk
      • fu[il1]{2}.*ma[il1]+[ -]?box
      • has.been.*suspended
      • has.been.limited
      • have.locked
      • he[li]p ?desk upgrade
      • heipdesk
      • i[il]iega[il]
      • ii[il]ega[il]
      • incoming e?mail
      • incoming.*fax
      • lock.*security
      • ma[il1]{1}[ -]?box.*quo
      • ma[il1]{2}[ -]?box.*fu[il1]
      • ma[il1]{2}box.*[il1]{2}mit
      • ma[il1]{2}box stor
      • mail on.?hold
      • mail.*box.*migration
      • mail.*de-?activat
      • mail.update.required
      • mails.*pending
      • messages.*pending
      • missed.*shipping.*notification
      • missed.shipment.notification
      • must.update.your.account
      • new [sl][io]g?[nig][ -]?in from
      • new voice ?-?mail
      • notifications.*pending
      • office.*3.*6.*5.*suspend
      • office365
      • on google docs with you
      • online doc
      • password.*compromised
      • periodic maintenance
      • potential(ly)? unauthorized
      • refund not approved
      • report
      • revised.*policy
      • scam
      • scanned.?invoice
      • secured?.update
      • security breach
      • securlty
      • signed.*delivery
      • statement is ready
      • status of your .{314}? ?delivery
      • susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
      • suspicious.*sign.*[io]n
      • suspicious.activit
      • temporar(il)?y deactivate
      • temporar[il1]{2}y disab[li]ed
      • temporarily.*lock
      • un-?usua[li].activity
      • unable.*deliver
      • unauthorized.*activit
      • unauthorized.device
      • undelivered message
      • unread.*doc
      • unusual.activity
      • upgrade.*account
      • upgrade.notice
      • urgent message
      • urgent.verification
      • v[il1]o[li1]at[il1]on security
      • va[il1]{1}date.*ma[il1]{2}[ -]?box
      • verification ?-?require
      • verification( )?-?need
      • verify.your?.account
      • web ?-?ma[il1]{2}
      • web[ -]?ma[il1]{2}
      • will.be.suspended
      • your (customer )?account .as
      • your.office.365
      • your.online.access
    • any of $suspicious_subjects where:
      • strings.icontains(subject.subject)
    • sender.display_name matches any of 73 patterns
      • Admin
      • Administrator
      • Alert
      • Assistant
      • Billing
      • Benefits
      • Bonus
      • CEO
      • CFO
      • CIO
      • CTO
      • Chairman
      • Claim
      • Confirm
      • Critical
      • Customer Service
      • Deal
      • Discount
      • Director
      • Exclusive
      • Executive
      • Fax
      • Free
      • Gift
      • /bHR/b
      • Helpdesk
      • Human Resources
      • Immediate
      • Important
      • Info
      • Information
      • Invoice
      • \bIT\b
      • Legal
      • Lottery
      • Management
      • Manager
      • Member Services
      • Notification
      • Offer
      • Operations
      • Order
      • Partner
      • Payment
      • Payroll
      • President
      • Premium
      • Prize
      • Receipt
      • Refund
      • Registrar
      • Required
      • Reward
      • Sales
      • Secretary
      • Security
      • Service
      • Signature
      • SSA?\.gov
      • Storage
      • Support
      • Sweepstakes
      • System
      • Tax
      • Tech Support
      • Update
      • Upgrade
      • Urgent
      • Validate
      • Verify
      • VIP
      • Webmaster
      • Winner
    • any of attachments where all hold:
      • any of:
        • .file_extension in $file_extensions_macros
        • .file_extension is 'pdf'
        • .file_type in ('pdf', 'doc', 'docx', 'xls', 'xlsx')
        • .content_type in ('application/pdf')
      • any of file.explode(.) where any holds:
        • any of .scan.url.urls where:
          • .url ends with '.exe'
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where:
          • .name is 'cred_theft'
  5. any of attachments where all hold:
    • any of:
      • .file_extension in $file_extensions_macros
      • .file_extension is 'pdf'
      • .file_type in ('pdf', 'doc', 'docx', 'xls', 'xlsx')
      • .content_type in ('application/pdf')
    • any of file.explode(.) where:
      • any of .scan.url.urls where all hold:
        • any of:
          • ml.link_analysis(., mode='aggressive').final_dom.display_text contains 'cloudflare'
          • all of:
            • ml.link_analysis(., mode='aggressive').final_dom.raw contains 'https://challenges.cloudflare.com/turnstile/'
            • length(ml.link_analysis(., mode='aggressive').final_dom.display_text) < 200
        • none of:
          • all of:
            • ml.link_analysis(., mode='aggressive').final_dom.display_text matches '*error code*'
            • any of ml.link_analysis(., mode='aggressive').final_dom.links where:
              • .href_url.query_params contains 'utm_source=errorcode'
          • ml.link_analysis(., mode='aggressive').final_dom.display_text matches 'cookie.{0,50}Cloudflare'
          • ml.link_analysis(.).effective_url.domain.root_domain in ('marketbeat.com')
  6. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  7. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  8. not:
    • profile.by_sender().any_messages_benign

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: file.explode, ml.link_analysis, ml.nlu_classifier, profile.by_sender, regex.icontains, strings.ends_with, strings.icontains, strings.ilike. Reference lists: $file_extensions_macros, $high_trust_sender_root_domains, $suspicious_subjects.

Indicators matched (213)

FieldMatchValue
attachments[].file_extensionequalspdf
attachments[].file_typememberpdf
attachments[].file_typememberdoc
attachments[].file_typememberdocx
attachments[].file_typememberxls
attachments[].file_typememberxlsx
attachments[].content_typememberapplication/pdf
attachments[].content_typemembermessage/global-delivery-status
attachments[].content_typemembermessage/delivery-status
regex.icontainsregextermination.*notice
regex.icontainsregex38417
regex.icontainsregex:completed
201 more
regex.icontainsregex[il1]{2}mit.*ma[il1]{2} ?bo?x
regex.icontainsregex[il][il][il]egai[ -]
regex.icontainsregex[li][li][li]ega[li] attempt
regex.icontainsregex[ng]-?[io]n .*block
regex.icontainsregex[ng]-?[io]n .*cancel
regex.icontainsregex[ng]-?[io]n .*deactiv
regex.icontainsregex[ng]-?[io]n .*disabl
regex.icontainsregexaction.*required
regex.icontainsregexabandon.*package
regex.icontainsregexabout.your.account
regex.icontainsregexacc(ou)?n?t (is )?on ho[li]d
regex.icontainsregexacc(ou)?n?t.*terminat
regex.icontainsregexacc(oun)?t.*[il1]{2}mitation
regex.icontainsregexaccess.*limitation
regex.icontainsregexaccount (will be )?block
regex.icontainsregexaccount.*de-?activat
regex.icontainsregexaccount.*locked
regex.icontainsregexaccount.*re-verification
regex.icontainsregexaccount.*security
regex.icontainsregexaccount.*suspension
regex.icontainsregexaccount.has.been
regex.icontainsregexaccount.has.expired
regex.icontainsregexaccount.will.be.blocked
regex.icontainsregexaccount v[il]o[li]at
regex.icontainsregexactivity.*acc(oun)?t
regex.icontainsregexalmost.full
regex.icontainsregexapp[li]e.[il]d
regex.icontainsregexauthenticate.*account
regex.icontainsregexbeen.*suspend
regex.icontainsregexclos.*of.*account.*processed
regex.icontainsregexconfirm.your.account
regex.icontainsregexcourier.*able
regex.icontainsregexcrediential.*notif
regex.icontainsregexdeactivation.*in.*progress
regex.icontainsregexdelivery.*attempt.*failed
regex.icontainsregexdocument.received
regex.icontainsregexdocumented.*shared.*with.*you
regex.icontainsregexdropbox.*document
regex.icontainsregexe-?ma[il1]+ .{010}suspen
regex.icontainsregexe-?ma[il1]{1} user
regex.icontainsregexe-?ma[il1]{2} acc
regex.icontainsregexe-?ma[il1]{2}.*up.?grade
regex.icontainsregexe.?ma[il1]{2}.*server
regex.icontainsregexe.?ma[il1]{2}.*suspend
regex.icontainsregexemail.update
regex.icontainsregexfaxed you
regex.icontainsregexfraud(ulent)?.*charge
regex.icontainsregexfrom.helpdesk
regex.icontainsregexfu[il1]{2}.*ma[il1]+[ -]?box
regex.icontainsregexhas.been.*suspended
regex.icontainsregexhas.been.limited
regex.icontainsregexhave.locked
regex.icontainsregexhe[li]p ?desk upgrade
regex.icontainsregexheipdesk
regex.icontainsregexi[il]iega[il]
regex.icontainsregexii[il]ega[il]
regex.icontainsregexincoming e?mail
regex.icontainsregexincoming.*fax
regex.icontainsregexlock.*security
regex.icontainsregexma[il1]{1}[ -]?box.*quo
regex.icontainsregexma[il1]{2}[ -]?box.*fu[il1]
regex.icontainsregexma[il1]{2}box.*[il1]{2}mit
regex.icontainsregexma[il1]{2}box stor
regex.icontainsregexmail on.?hold
regex.icontainsregexmail.*box.*migration
regex.icontainsregexmail.*de-?activat
regex.icontainsregexmail.update.required
regex.icontainsregexmails.*pending
regex.icontainsregexmessages.*pending
regex.icontainsregexmissed.*shipping.*notification
regex.icontainsregexmissed.shipment.notification
regex.icontainsregexmust.update.your.account
regex.icontainsregexnew [sl][io]g?[nig][ -]?in from
regex.icontainsregexnew voice ?-?mail
regex.icontainsregexnotifications.*pending
regex.icontainsregexoffice.*3.*6.*5.*suspend
regex.icontainsregexoffice365
regex.icontainsregexon google docs with you
regex.icontainsregexonline doc
regex.icontainsregexpassword.*compromised
regex.icontainsregexperiodic maintenance
regex.icontainsregexpotential(ly)? unauthorized
regex.icontainsregexrefund not approved
regex.icontainsregexreport
regex.icontainsregexrevised.*policy
regex.icontainsregexscam
regex.icontainsregexscanned.?invoice
regex.icontainsregexsecured?.update
regex.icontainsregexsecurity breach
regex.icontainsregexsecurlty
regex.icontainsregexsigned.*delivery
regex.icontainsregexstatement is ready
regex.icontainsregexstatus of your .{314}? ?delivery
regex.icontainsregexsusp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
regex.icontainsregexsuspicious.*sign.*[io]n
regex.icontainsregexsuspicious.activit
regex.icontainsregextemporar(il)?y deactivate
regex.icontainsregextemporar[il1]{2}y disab[li]ed
regex.icontainsregextemporarily.*lock
regex.icontainsregexun-?usua[li].activity
regex.icontainsregexunable.*deliver
regex.icontainsregexunauthorized.*activit
regex.icontainsregexunauthorized.device
regex.icontainsregexundelivered message
regex.icontainsregexunread.*doc
regex.icontainsregexunusual.activity
regex.icontainsregexupgrade.*account
regex.icontainsregexupgrade.notice
regex.icontainsregexurgent message
regex.icontainsregexurgent.verification
regex.icontainsregexv[il1]o[li1]at[il1]on security
regex.icontainsregexva[il1]{1}date.*ma[il1]{2}[ -]?box
regex.icontainsregexverification ?-?require
regex.icontainsregexverification( )?-?need
regex.icontainsregexverify.your?.account
regex.icontainsregexweb ?-?ma[il1]{2}
regex.icontainsregexweb[ -]?ma[il1]{2}
regex.icontainsregexwill.be.suspended
regex.icontainsregexyour (customer )?account .as
regex.icontainsregexyour.office.365
regex.icontainsregexyour.online.access
regex.icontainsregexAdmin
regex.icontainsregexAdministrator
regex.icontainsregexAlert
regex.icontainsregexAssistant
regex.icontainsregexBilling
regex.icontainsregexBenefits
regex.icontainsregexBonus
regex.icontainsregexCEO
regex.icontainsregexCFO
regex.icontainsregexCIO
regex.icontainsregexCTO
regex.icontainsregexChairman
regex.icontainsregexClaim
regex.icontainsregexConfirm
regex.icontainsregexCritical
regex.icontainsregexCustomer Service
regex.icontainsregexDeal
regex.icontainsregexDiscount
regex.icontainsregexDirector
regex.icontainsregexExclusive
regex.icontainsregexExecutive
regex.icontainsregexFax
regex.icontainsregexFree
regex.icontainsregexGift
regex.icontainsregex/bHR/b
regex.icontainsregexHelpdesk
regex.icontainsregexHuman Resources
regex.icontainsregexImmediate
regex.icontainsregexImportant
regex.icontainsregexInfo
regex.icontainsregexInformation
regex.icontainsregexInvoice
regex.icontainsregex\bIT\b
regex.icontainsregexLegal
regex.icontainsregexLottery
regex.icontainsregexManagement
regex.icontainsregexManager
regex.icontainsregexMember Services
regex.icontainsregexNotification
regex.icontainsregexOffer
regex.icontainsregexOperations
regex.icontainsregexOrder
regex.icontainsregexPartner
regex.icontainsregexPayment
regex.icontainsregexPayroll
regex.icontainsregexPresident
regex.icontainsregexPremium
regex.icontainsregexPrize
regex.icontainsregexReceipt
regex.icontainsregexRefund
regex.icontainsregexRegistrar
regex.icontainsregexRequired
regex.icontainsregexReward
regex.icontainsregexSales
regex.icontainsregexSecretary
regex.icontainsregexSecurity
regex.icontainsregexService
regex.icontainsregexSignature
regex.icontainsregexSSA?\.gov
regex.icontainsregexStorage
regex.icontainsregexSupport
regex.icontainsregexSweepstakes
regex.icontainsregexSystem
regex.icontainsregexTax
regex.icontainsregexTech Support
regex.icontainsregexUpdate
regex.icontainsregexUpgrade
regex.icontainsregexUrgent
regex.icontainsregexValidate
regex.icontainsregexVerify
regex.icontainsregexVIP
regex.icontainsregexWebmaster
regex.icontainsregexWinner
strings.ends_withsuffix.exe
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].nameequalscred_theft
strings.icontainssubstringcloudflare
strings.icontainssubstringhttps://challenges.cloudflare.com/turnstile/
strings.ilikesubstring*error code*
strings.icontainssubstringutm_source=errorcode
regex.icontainsregexcookie.{0,50}Cloudflare