Link: Multistage landing - ClickUp abuse

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects ClickUp documents that contain external links to suspicious domains including new domains, free file hosts, URL shorteners, or links that redirect to phishing pages or contain captchas.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing, Malware/Ransomware
Tactics and techniques	Evasion, Free file host, Free subdomain host, Open redirect

Event coverage

Message attribute
body.current_thread
type

Rule body MQL

type.inbound
and any(body.current_thread.links,
        .href_url.domain.domain == "doc.clickup.com"
        and (
          // landing page has been removed
          strings.istarts_with(ml.link_analysis(.).final_dom.display_text,
                               'This page is currently unavailable'
          )
          // inspection of links within the doc.clickup.com
          or any(filter(ml.link_analysis(.).final_dom.links,
                        .href_url.domain.root_domain != 'clickup.com'
                        and .href_url.domain.root_domain not in $org_domains
                 ),
                 (
                   // any of those links domains are new
                   network.whois(.href_url.domain).days_old < 30
                   // go to free file hosts
                   or .href_url.domain.root_domain in $free_file_hosts
                   or .href_url.domain.domain in $free_file_hosts

                   // go to free subdomains hosts
                   or (
                     .href_url.domain.root_domain in $free_subdomain_hosts
                     // where there is a subdomain
                     and .href_url.domain.subdomain is not null
                     and .href_url.domain.subdomain != "www"
                   )
                   // go to url shorteners
                   or .href_url.domain.root_domain in $url_shorteners
                   or .href_url.domain.root_domain in $social_landing_hosts
                   or .href_url.domain.domain in $url_shorteners
                   or .href_url.domain.domain in $social_landing_hosts
                   // or the page has been taken down
                   or (
                     // find any links that mention common "action" words
                     regex.icontains(.display_text,
                                     '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                     )
                     and (
                       // and when visiting those links, are phishing
                       ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"

                       // hit a captcha page
                       or ml.link_analysis(., mode="aggressive").credphish.contains_captcha

                       // or the page redirects to common website, observed when evasion happens
                       or (
                         length(ml.link_analysis(., mode="aggressive").redirect_history
                         ) > 0
                         and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
                       )
                     )
                   )
                 )
          )
        )
)

Detection logic

Scope: inbound message.

Detects ClickUp documents that contain external links to suspicious domains including new domains, free file hosts, URL shorteners, or links that redirect to phishing pages or contain captchas.

inbound message
any of body.current_thread.links where all hold:
- .href_url.domain.domain is 'doc.clickup.com'
- any of:
  - ml.link_analysis(.).final_dom.display_text starts with 'This page is currently unavailable'
  - any of filter(...) where any holds:
    
    network.whois(.href_url.domain).days_old < 30
    .href_url.domain.root_domain in $free_file_hosts
    .href_url.domain.domain in $free_file_hosts
    all of:
    
    .href_url.domain.root_domain in $free_subdomain_hosts
    .href_url.domain.subdomain is set
    .href_url.domain.subdomain is not 'www'
    .href_url.domain.root_domain in $url_shorteners
    .href_url.domain.root_domain in $social_landing_hosts
    .href_url.domain.domain in $url_shorteners
    .href_url.domain.domain in $social_landing_hosts
    all of:
    
    .display_text matches '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
    any of:
    
    ml.link_analysis(.).credphish.disposition is 'phishing'
    ml.link_analysis(.).credphish.contains_captcha
    all of:
    
    length(ml.link_analysis(., mode='aggressive').redirect_history) > 0
    ml.link_analysis(.).effective_url.domain.root_domain in $tranco_10k

Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.domain, type.inbound. Sensors: ml.link_analysis, network.whois, regex.icontains, strings.istarts_with. Reference lists: $free_file_hosts, $free_subdomain_hosts, $org_domains, $social_landing_hosts, $tranco_10k, $url_shorteners.

Indicators matched (3)

Field	Match	Value
`body.current_thread.links[].href_url.domain.domain`	equals	`doc.clickup.com`
`strings.istarts_with`	prefix	`This page is currently unavailable`
`regex.icontains`	regex	`(?:view\|click\|show\|access\|download\|goto\|Validate\|Va[il]idar\|login\|verify\|account)`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)