detection.wiki

Detection rules › Sublime MQL

Suspicious Links to Cloudflare R2 and Edge Services

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects links to Cloudflare R2 storage buckets, Pages, and Workers domains from unsolicited or previously malicious senders who are not on a trusted sender list or have failed DMARC authentication.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Callback Phishing, Credential Phishing, Extortion, Malware/Ransomware, Spam
Tactics and techniquesFree file host

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and any(body.links,
        // Check root domain first 
        .href_url.domain.root_domain in ("r2.dev", "pages.dev", "workers.dev")
// Check the specific pub-{hex}.r2.dev subdomain pattern only for r2.dev
)
// negate emails with unsubscribe links
and not any(body.links,
            strings.icontains(.href_url.url, "unsubscribe")
            or strings.icontains(.display_text, "unsubscribe")
)
// negate bulk mailer domains
and not any(body.links,
            .href_url.domain.root_domain in $bulk_mailer_url_root_domains
)
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in (
        "Newsletters and Digests",
        "Advertising and Promotions",
        "Educational and Research",
        "B2B Cold Outreach",
        "Health and Wellness",
        "Professional and Career Development",
        "Romance",
        "Sexually Explicit Messages",
        "Software and App Updates",
        "Acts of Violence",
        "Voicemail Call and Missed Call Notifications"
      )
      and .confidence == "high"
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

Detects links to Cloudflare R2 storage buckets, Pages, and Workers domains from unsolicited or previously malicious senders who are not on a trusted sender list or have failed DMARC authentication.

  1. inbound message
  2. any of body.links where:
    • .href_url.domain.root_domain in ('r2.dev', 'pages.dev', 'workers.dev')
  3. not:
    • any of body.links where any holds:
      • .href_url.url contains 'unsubscribe'
      • .display_text contains 'unsubscribe'
  4. not:
    • any of body.links where:
      • .href_url.domain.root_domain in $bulk_mailer_url_root_domains
  5. not:
    • any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
      • .name in ('Newsletters and Digests', 'Advertising and Promotions', 'Educational and Research', 'B2B Cold Outreach', 'Health and Wellness', 'Professional and Career Development', 'Romance', 'Sexually Explicit Messages', 'Software and App Updates', 'Acts of Violence', 'Voicemail Call and Missed Call Notifications')
      • .confidence is 'high'
  6. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  7. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  8. not:
    • profile.by_sender().any_messages_benign

Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.root_domain, body.links[].href_url.url, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, strings.icontains. Reference lists: $bulk_mailer_url_root_domains, $high_trust_sender_root_domains.

Indicators matched (16)

FieldMatchValue
body.links[].href_url.domain.root_domainmemberr2.dev
body.links[].href_url.domain.root_domainmemberpages.dev
body.links[].href_url.domain.root_domainmemberworkers.dev
strings.icontainssubstringunsubscribe
ml.nlu_classifier(body.current_thread.text).topics[].namememberNewsletters and Digests
ml.nlu_classifier(body.current_thread.text).topics[].namememberAdvertising and Promotions
ml.nlu_classifier(body.current_thread.text).topics[].namememberEducational and Research
ml.nlu_classifier(body.current_thread.text).topics[].namememberB2B Cold Outreach
ml.nlu_classifier(body.current_thread.text).topics[].namememberHealth and Wellness
ml.nlu_classifier(body.current_thread.text).topics[].namememberProfessional and Career Development
ml.nlu_classifier(body.current_thread.text).topics[].namememberRomance
ml.nlu_classifier(body.current_thread.text).topics[].namememberSexually Explicit Messages
4 more
ml.nlu_classifier(body.current_thread.text).topics[].namememberSoftware and App Updates
ml.nlu_classifier(body.current_thread.text).topics[].namememberActs of Violence
ml.nlu_classifier(body.current_thread.text).topics[].namememberVoicemail Call and Missed Call Notifications
ml.nlu_classifier(body.current_thread.text).topics[].confidenceequalshigh