Link: Multistage landing - Trello board abuse

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Free file host, Social engineering

Event coverage

Message attribute
body
body.links (collection)
type

Rule body MQL

type.inbound
and any(filter(body.links,
               .href_url.domain.root_domain == "trello.com"
               and strings.istarts_with(.href_url.path, "/b/")
        ),
        // avoid doing LinkAnalysis if the display-text has strong indications of phishing
        (
          // replace confusables - observed ITW
          regex.icontains(strings.replace_confusables(.display_text),
                          'review|proposal|document|efax|restore|[o0]pen|secure|messaging|reset|account|verify|login|notification|alert|urgent|immediate|access|support|\bupdate\b|download|attachment|service|payment|remittance|invoice|rfp|rfi|pdf|doc'
          )
          and not regex.icontains(strings.replace_confusables(.display_text),
                                  'customer service'
          )
          // add confidence to these strings by using profile.by_sender()
          and (
            not profile.by_sender_email().solicited
            and profile.by_sender_email().prevalence in ('new', 'outlier')
          )
        )
        or any(ml.link_analysis(.).additional_responses,
               // less than 4 cards on the Trello board
               length(.json['cards']) < 4
               or any(.json['cards'],
                      // suspicious link in a card title
                      (
                        strings.parse_url(.['name']).domain.valid
                        and (
                          ml.link_analysis(strings.parse_url(.['name'])).credphish.disposition == "phishing"
                          or ml.link_analysis(strings.parse_url(.['name'])).credphish.contains_captcha
                          // CF Turnstile
                          or any(ml.link_analysis(strings.parse_url(.['name'])).unique_urls_accessed,
                                 .domain.domain == "challenges.cloudflare.com"
                          )
                        )
                      )
                      // Trello detected a malicious card attachment
                      or .['badges']['maliciousAttachments'] > 0
               )
               // Trello has blocked the user account
               or any(.json['members'], .['activityBlocked'] == true)
               // the user is the sole member of their Trello account and is the admin
               or (
                 length(.json['memberships']) == 1
                 and all(.json['memberships'], .['orgMemberType'] == "admin")
               )
        )
)

Detection logic

Scope: inbound message.

Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders.

inbound message
any of filter(body.links) where any holds:
- all of:
  - strings.replace_confusables(.display_text) matches 'review|proposal|document|efax|restore|[o0]pen|secure|messaging|reset|account|verify|login|notification|alert|urgent|immediate|access|support|\\bupdate\\b|download|attachment|service|payment|remittance|invoice|rfp|rfi|pdf|doc'
  - not:
    
    strings.replace_confusables(.display_text) matches 'customer service'
  - all of:
    
    not:
    
    profile.by_sender_email().solicited
    profile.by_sender_email().prevalence in ('new', 'outlier')
- any of ml.link_analysis(.).additional_responses where any holds:
  - length(.json['cards']) < 4
  - any of .json['cards'] where any holds:
    
    all of:
    
    strings.parse_url(.['name']).domain.valid
    any of:
    
    ml.link_analysis(strings.parse_url(.['name'])).credphish.disposition is 'phishing'
    ml.link_analysis(strings.parse_url(.['name'])).credphish.contains_captcha
    any of ml.link_analysis(strings.parse_url(.['name'])).unique_urls_accessed where:
    
    .domain.domain is 'challenges.cloudflare.com'
    .['badges']['maliciousAttachments'] > 0
  - any of .json['members'] where:
    
    .['activityBlocked'] is True
  - all of:
    
    length(.json['memberships']) is 1
    all of .json['memberships'] where:
    
    .['orgMemberType'] is 'admin'

Inspects: body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.path, type.inbound. Sensors: ml.link_analysis, profile.by_sender_email, regex.icontains, strings.istarts_with, strings.parse_url, strings.replace_confusables.

Indicators matched (6)

Field	Match	Value
`body.links[].href_url.domain.root_domain`	equals	`trello.com`
`strings.istarts_with`	prefix	`/b/`
`regex.icontains`	regex	`review\|proposal\|document\|efax\|restore\|[o0]pen\|secure\|messaging\|reset\|account\|verify\|login\|notification\|alert\|urgent\|immediate\|access\|support\|\bupdate\b\|download\|attachment\|service\|payment\|remittance\|invoice\|rfp\|rfi\|pdf\|doc`
`regex.icontains`	regex	`customer service`
`ml.link_analysis(strings.parse_url(ml.link_analysis(filter(body.links)[]).additional_responses[].json['cards'][]['name'])).unique_urls_accessed[].domain.domain`	equals	`challenges.cloudflare.com`
`ml.link_analysis(filter(body.links)[]).additional_responses[].json['memberships'][]['orgMemberType']`	equals	`admin`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)