detection.wiki

Detection rules › Sublime MQL

Suspicious message with unscannable Cloudflare link

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing

Event coverage

Message attribute
attachments (collection)
body
body.links (collection)
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  (
    // few links
    0 < length(body.links) < 20
    // fewer unique root domain links
    and length(distinct(body.links, .href_url.domain.root_domain)) < 10
    // sender domain matches no body domains
    and all(body.links,
            .href_url.domain.root_domain != sender.email.domain.root_domain
    )
  )
  or beta.scan_qr(file.message_screenshot()).found
)

// negate bouncebacks and undeliverables
and not any(attachments,
            .content_type in (
              "message/global-delivery-status",
              "message/delivery-status"
            )
)

// suspicious subject or display name
and (
  regex.icontains(subject.subject,
                  "termination.*notice",
                  "38417",
                  ":completed",
                  "[il1]{2}mit.*ma[il1]{2} ?bo?x",
                  "[il][il][il]egai[ -]",
                  "[li][li][li]ega[li] attempt",
                  "[ng]-?[io]n .*block",
                  "[ng]-?[io]n .*cancel",
                  "[ng]-?[io]n .*deactiv",
                  "[ng]-?[io]n .*disabl",
                  "action.*required",
                  "abandon.*package",
                  "about.your.account",
                  "acc(ou)?n?t (is )?on ho[li]d",
                  "acc(ou)?n?t.*terminat",
                  "acc(oun)?t.*[il1]{2}mitation",
                  "access.*limitation",
                  "account (will be )?block",
                  "account.*de-?activat",
                  "account.*locked",
                  "account.*re-verification",
                  "account.*security",
                  "account.*suspension",
                  "account.has.been",
                  "account.has.expired",
                  "account.will.be.blocked",
                  "account v[il]o[li]at",
                  "activity.*acc(oun)?t",
                  "almost.full",
                  "app[li]e.[il]d",
                  "authenticate.*account",
                  "been.*suspend",
                  "clos.*of.*account.*processed",
                  "confirm.your.account",
                  "courier.*able",
                  "crediential.*notif",
                  "deactivation.*in.*progress",
                  "delivery.*attempt.*failed",
                  "document.received",
                  "documented.*shared.*with.*you",
                  "dropbox.*document",
                  "e-?ma[il1]+ .{010}suspen",
                  "e-?ma[il1]{1} user",
                  "e-?ma[il1]{2} acc",
                  "e-?ma[il1]{2}.*up.?grade",
                  "e.?ma[il1]{2}.*server",
                  "e.?ma[il1]{2}.*suspend",
                  "email.update",
                  "faxed you",
                  "fraud(ulent)?.*charge",
                  "from.helpdesk",
                  "fu[il1]{2}.*ma[il1]+[ -]?box",
                  "has.been.*suspended",
                  "has.been.limited",
                  "have.locked",
                  "he[li]p ?desk upgrade",
                  "heipdesk",
                  "i[il]iega[il]",
                  "ii[il]ega[il]",
                  "incoming e?mail",
                  "incoming.*fax",
                  "lock.*security",
                  "ma[il1]{1}[ -]?box.*quo",
                  "ma[il1]{2}[ -]?box.*fu[il1]",
                  "ma[il1]{2}box.*[il1]{2}mit",
                  "ma[il1]{2}box stor",
                  "mail on.?hold",
                  "mail.*box.*migration",
                  "mail.*de-?activat",
                  "mail.update.required",
                  "mails.*pending",
                  "messages.*pending",
                  "missed.*shipping.*notification",
                  "missed.shipment.notification",
                  "must.update.your.account",
                  "new [sl][io]g?[nig][ -]?in from",
                  "new voice ?-?mail",
                  "notifications.*pending",
                  "office.*3.*6.*5.*suspend",
                  "office365",
                  "on google docs with you",
                  "online doc",
                  "password.*compromised",
                  "periodic maintenance",
                  "potential(ly)? unauthorized",
                  "refund not approved",
                  "report",
                  "revised.*policy",
                  "scam",
                  "scanned.?invoice",
                  "secured?.update",
                  "security breach",
                  "securlty",
                  "signed.*delivery",
                  "statement is ready",
                  "status of your .{314}? ?delivery",
                  "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
                  "suspicious.*sign.*[io]n",
                  "suspicious.activit",
                  "temporar(il)?y deactivate",
                  "temporar[il1]{2}y disab[li]ed",
                  "temporarily.*lock",
                  "un-?usua[li].activity",
                  "unable.*deliver",
                  "unauthorized.*activit",
                  "unauthorized.device",
                  "undelivered message",
                  "unread.*doc",
                  "unusual.activity",
                  "upgrade.*account",
                  "upgrade.notice",
                  "urgent message",
                  "urgent.verification",
                  "v[il1]o[li1]at[il1]on security",
                  "va[il1]{1}date.*ma[il1]{2}[ -]?box",
                  "verification ?-?require",
                  "verification( )?-?need",
                  "verify.your?.account",
                  "web ?-?ma[il1]{2}",
                  "web[ -]?ma[il1]{2}",
                  "will.be.suspended",
                  "your (customer )?account .as",
                  "your.office.365",
                  "your.online.access"
  )
  or any($suspicious_subjects, strings.icontains(subject.subject, .))
  or regex.icontains(sender.display_name,
                     "Admin",
                     "Administrator",
                     "Alert",
                     "Assistant",
                     "Billing",
                     "Benefits",
                     "Bonus",
                     "CEO",
                     "CFO",
                     "CIO",
                     "CTO",
                     "Chairman",
                     "Claim",
                     "Confirm",
                     "Critical",
                     "Customer Service",
                     "Deal",
                     "Discount",
                     "Director",
                     "Exclusive",
                     "Executive",
                     "Fax",
                     "Free",
                     "Gift",
                     "/bHR/b",
                     "Helpdesk",
                     "Human Resources",
                     "Immediate",
                     "Important",
                     "Info",
                     "Information",
                     "Invoice",
                     '\bIT\b',
                     "Legal",
                     "Lottery",
                     "Management",
                     "Manager",
                     "Member Services",
                     "Notification",
                     "Offer",
                     "Operations",
                     "Order",
                     "Partner",
                     "Payment",
                     "Payroll",
                     "President",
                     "Premium",
                     "Prize",
                     "Receipt",
                     "Refund",
                     "Registrar",
                     "Required",
                     "Reward",
                     "Sales",
                     "Secretary",
                     "Security",
                     "Service",
                     "Signature",
                     "SSA",
                     "Storage",
                     "Support",
                     "Sweepstakes",
                     "System",
                     "Tax",
                     "Tech Support",
                     "Update",
                     "Upgrade",
                     "Urgent",
                     "Validate",
                     "Verify",
                     "VIP",
                     "Webmaster",
                     "Winner",
  )
  or any(body.links, strings.ends_with(.href_url.url, ".exe"))
)

// link can't be scanned due to Cloudflare captcha
and (
  any(body.links,
      (
        strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                          "cloudflare"
        )
        // includes the turnstile CAPTCHA
        or (
          strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                            'https://challenges.cloudflare.com/turnstile/'
          )
          // has a short body length indicating the page is gated behind the turnstile instead
          // of just including the turnstile
          and length((
                       ml.link_analysis(., mode="aggressive").final_dom.display_text
                     )
          ) < 200
        )
      )
      and not (
        ( // a Cloudflare error page
          strings.ilike(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                        "*error code*"
          )
          and any(ml.link_analysis(., mode="aggressive").final_dom.links,
                  strings.icontains(.href_url.query_params,
                                    "utm_source=errorcode"
                  )
          )
        ) // a cookie warning mentioning Cloudflare
        or regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                           "cookie.{0,50}Cloudflare"
        )
        or ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in (
          "marketbeat.com"
        )
      )
  )
  or any(beta.scan_qr(file.message_screenshot()).items,
         .type == "url"
         and (
           strings.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
                             "cloudflare"
           )
           // includes the turnstile CAPTCHA
           or (
             strings.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.raw,
                               'https://challenges.cloudflare.com/turnstile/'
             )
             // has a short body length indicating the page is gated behind the turnstile instead
             // of just including the turnstile
             and length((
                          ml.link_analysis(.url, mode="aggressive").final_dom.display_text
                        )
             ) < 200
           )
         )
         and not (
           ( // a Cloudflare error page
             strings.ilike(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
                           "*error code*"
             )
             and any(ml.link_analysis(.url, mode="aggressive").final_dom.links,
                     strings.icontains(.href_url.query_params,
                                       "utm_source=errorcode"
                     )
             )
           ) // a cookie warning mentioning Cloudflare
           or regex.icontains(ml.link_analysis(.url, mode="aggressive").final_dom.display_text,
                              "cookie.{0,50}Cloudflare"
           )
           or ml.link_analysis(.url, mode="aggressive").effective_url.domain.root_domain in (
             "marketbeat.com"
           )
         )
  )
)
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

  1. inbound message
  2. any of:
    • all of:
      • all of:
        • length(body.links) > 0
        • length(body.links) < 20
      • length(distinct(body.links, .href_url.domain.root_domain)) < 10
      • all of body.links where:
        • .href_url.domain.root_domain is not sender.email.domain.root_domain
    • beta.scan_qr(file.message_screenshot()).found
  3. not:
    • any of attachments where:
      • .content_type in ('message/global-delivery-status', 'message/delivery-status')
  4. any of:
    • subject.subject matches any of 124 patterns
      • termination.*notice
      • 38417
      • :completed
      • [il1]{2}mit.*ma[il1]{2} ?bo?x
      • [il][il][il]egai[ -]
      • [li][li][li]ega[li] attempt
      • [ng]-?[io]n .*block
      • [ng]-?[io]n .*cancel
      • [ng]-?[io]n .*deactiv
      • [ng]-?[io]n .*disabl
      • action.*required
      • abandon.*package
      • about.your.account
      • acc(ou)?n?t (is )?on ho[li]d
      • acc(ou)?n?t.*terminat
      • acc(oun)?t.*[il1]{2}mitation
      • access.*limitation
      • account (will be )?block
      • account.*de-?activat
      • account.*locked
      • account.*re-verification
      • account.*security
      • account.*suspension
      • account.has.been
      • account.has.expired
      • account.will.be.blocked
      • account v[il]o[li]at
      • activity.*acc(oun)?t
      • almost.full
      • app[li]e.[il]d
      • authenticate.*account
      • been.*suspend
      • clos.*of.*account.*processed
      • confirm.your.account
      • courier.*able
      • crediential.*notif
      • deactivation.*in.*progress
      • delivery.*attempt.*failed
      • document.received
      • documented.*shared.*with.*you
      • dropbox.*document
      • e-?ma[il1]+ .{010}suspen
      • e-?ma[il1]{1} user
      • e-?ma[il1]{2} acc
      • e-?ma[il1]{2}.*up.?grade
      • e.?ma[il1]{2}.*server
      • e.?ma[il1]{2}.*suspend
      • email.update
      • faxed you
      • fraud(ulent)?.*charge
      • from.helpdesk
      • fu[il1]{2}.*ma[il1]+[ -]?box
      • has.been.*suspended
      • has.been.limited
      • have.locked
      • he[li]p ?desk upgrade
      • heipdesk
      • i[il]iega[il]
      • ii[il]ega[il]
      • incoming e?mail
      • incoming.*fax
      • lock.*security
      • ma[il1]{1}[ -]?box.*quo
      • ma[il1]{2}[ -]?box.*fu[il1]
      • ma[il1]{2}box.*[il1]{2}mit
      • ma[il1]{2}box stor
      • mail on.?hold
      • mail.*box.*migration
      • mail.*de-?activat
      • mail.update.required
      • mails.*pending
      • messages.*pending
      • missed.*shipping.*notification
      • missed.shipment.notification
      • must.update.your.account
      • new [sl][io]g?[nig][ -]?in from
      • new voice ?-?mail
      • notifications.*pending
      • office.*3.*6.*5.*suspend
      • office365
      • on google docs with you
      • online doc
      • password.*compromised
      • periodic maintenance
      • potential(ly)? unauthorized
      • refund not approved
      • report
      • revised.*policy
      • scam
      • scanned.?invoice
      • secured?.update
      • security breach
      • securlty
      • signed.*delivery
      • statement is ready
      • status of your .{314}? ?delivery
      • susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
      • suspicious.*sign.*[io]n
      • suspicious.activit
      • temporar(il)?y deactivate
      • temporar[il1]{2}y disab[li]ed
      • temporarily.*lock
      • un-?usua[li].activity
      • unable.*deliver
      • unauthorized.*activit
      • unauthorized.device
      • undelivered message
      • unread.*doc
      • unusual.activity
      • upgrade.*account
      • upgrade.notice
      • urgent message
      • urgent.verification
      • v[il1]o[li1]at[il1]on security
      • va[il1]{1}date.*ma[il1]{2}[ -]?box
      • verification ?-?require
      • verification( )?-?need
      • verify.your?.account
      • web ?-?ma[il1]{2}
      • web[ -]?ma[il1]{2}
      • will.be.suspended
      • your (customer )?account .as
      • your.office.365
      • your.online.access
    • any of $suspicious_subjects where:
      • strings.icontains(subject.subject)
    • sender.display_name matches any of 73 patterns
      • Admin
      • Administrator
      • Alert
      • Assistant
      • Billing
      • Benefits
      • Bonus
      • CEO
      • CFO
      • CIO
      • CTO
      • Chairman
      • Claim
      • Confirm
      • Critical
      • Customer Service
      • Deal
      • Discount
      • Director
      • Exclusive
      • Executive
      • Fax
      • Free
      • Gift
      • /bHR/b
      • Helpdesk
      • Human Resources
      • Immediate
      • Important
      • Info
      • Information
      • Invoice
      • \bIT\b
      • Legal
      • Lottery
      • Management
      • Manager
      • Member Services
      • Notification
      • Offer
      • Operations
      • Order
      • Partner
      • Payment
      • Payroll
      • President
      • Premium
      • Prize
      • Receipt
      • Refund
      • Registrar
      • Required
      • Reward
      • Sales
      • Secretary
      • Security
      • Service
      • Signature
      • SSA
      • Storage
      • Support
      • Sweepstakes
      • System
      • Tax
      • Tech Support
      • Update
      • Upgrade
      • Urgent
      • Validate
      • Verify
      • VIP
      • Webmaster
      • Winner
    • any of body.links where:
      • .href_url.url ends with '.exe'
  5. any of:
    • any of body.links where all hold:
      • any of:
        • ml.link_analysis(., mode='aggressive').final_dom.display_text contains 'cloudflare'
        • all of:
          • ml.link_analysis(., mode='aggressive').final_dom.raw contains 'https://challenges.cloudflare.com/turnstile/'
          • length(ml.link_analysis(., mode='aggressive').final_dom.display_text) < 200
      • none of:
        • all of:
          • ml.link_analysis(., mode='aggressive').final_dom.display_text matches '*error code*'
          • any of ml.link_analysis(., mode='aggressive').final_dom.links where:
            • .href_url.query_params contains 'utm_source=errorcode'
        • ml.link_analysis(., mode='aggressive').final_dom.display_text matches 'cookie.{0,50}Cloudflare'
        • ml.link_analysis(.).effective_url.domain.root_domain in ('marketbeat.com')
    • any of beta.scan_qr(file.message_screenshot()).items where all hold:
      • .type is 'url'
      • any of:
        • ml.link_analysis(.url, mode='aggressive').final_dom.display_text contains 'cloudflare'
        • all of:
          • ml.link_analysis(.url, mode='aggressive').final_dom.raw contains 'https://challenges.cloudflare.com/turnstile/'
          • length(ml.link_analysis(.url, mode='aggressive').final_dom.display_text) < 200
      • none of:
        • all of:
          • ml.link_analysis(.url, mode='aggressive').final_dom.display_text matches '*error code*'
          • any of ml.link_analysis(.url, mode='aggressive').final_dom.links where:
            • .href_url.query_params contains 'utm_source=errorcode'
        • ml.link_analysis(.url, mode='aggressive').final_dom.display_text matches 'cookie.{0,50}Cloudflare'
        • ml.link_analysis(.url).effective_url.domain.root_domain in ('marketbeat.com')
  6. any of:
    • not:
      • profile.by_sender_email().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  7. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  8. not:
    • profile.by_sender().any_messages_benign

Inspects: attachments[].content_type, body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.url, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: beta.scan_qr, file.message_screenshot, ml.link_analysis, profile.by_sender, profile.by_sender_email, regex.icontains, strings.ends_with, strings.icontains, strings.ilike. Reference lists: $high_trust_sender_root_domains, $suspicious_subjects.

Indicators matched (206)

FieldMatchValue
attachments[].content_typemembermessage/global-delivery-status
attachments[].content_typemembermessage/delivery-status
regex.icontainsregextermination.*notice
regex.icontainsregex38417
regex.icontainsregex:completed
regex.icontainsregex[il1]{2}mit.*ma[il1]{2} ?bo?x
regex.icontainsregex[il][il][il]egai[ -]
regex.icontainsregex[li][li][li]ega[li] attempt
regex.icontainsregex[ng]-?[io]n .*block
regex.icontainsregex[ng]-?[io]n .*cancel
regex.icontainsregex[ng]-?[io]n .*deactiv
regex.icontainsregex[ng]-?[io]n .*disabl
194 more
regex.icontainsregexaction.*required
regex.icontainsregexabandon.*package
regex.icontainsregexabout.your.account
regex.icontainsregexacc(ou)?n?t (is )?on ho[li]d
regex.icontainsregexacc(ou)?n?t.*terminat
regex.icontainsregexacc(oun)?t.*[il1]{2}mitation
regex.icontainsregexaccess.*limitation
regex.icontainsregexaccount (will be )?block
regex.icontainsregexaccount.*de-?activat
regex.icontainsregexaccount.*locked
regex.icontainsregexaccount.*re-verification
regex.icontainsregexaccount.*security
regex.icontainsregexaccount.*suspension
regex.icontainsregexaccount.has.been
regex.icontainsregexaccount.has.expired
regex.icontainsregexaccount.will.be.blocked
regex.icontainsregexaccount v[il]o[li]at
regex.icontainsregexactivity.*acc(oun)?t
regex.icontainsregexalmost.full
regex.icontainsregexapp[li]e.[il]d
regex.icontainsregexauthenticate.*account
regex.icontainsregexbeen.*suspend
regex.icontainsregexclos.*of.*account.*processed
regex.icontainsregexconfirm.your.account
regex.icontainsregexcourier.*able
regex.icontainsregexcrediential.*notif
regex.icontainsregexdeactivation.*in.*progress
regex.icontainsregexdelivery.*attempt.*failed
regex.icontainsregexdocument.received
regex.icontainsregexdocumented.*shared.*with.*you
regex.icontainsregexdropbox.*document
regex.icontainsregexe-?ma[il1]+ .{010}suspen
regex.icontainsregexe-?ma[il1]{1} user
regex.icontainsregexe-?ma[il1]{2} acc
regex.icontainsregexe-?ma[il1]{2}.*up.?grade
regex.icontainsregexe.?ma[il1]{2}.*server
regex.icontainsregexe.?ma[il1]{2}.*suspend
regex.icontainsregexemail.update
regex.icontainsregexfaxed you
regex.icontainsregexfraud(ulent)?.*charge
regex.icontainsregexfrom.helpdesk
regex.icontainsregexfu[il1]{2}.*ma[il1]+[ -]?box
regex.icontainsregexhas.been.*suspended
regex.icontainsregexhas.been.limited
regex.icontainsregexhave.locked
regex.icontainsregexhe[li]p ?desk upgrade
regex.icontainsregexheipdesk
regex.icontainsregexi[il]iega[il]
regex.icontainsregexii[il]ega[il]
regex.icontainsregexincoming e?mail
regex.icontainsregexincoming.*fax
regex.icontainsregexlock.*security
regex.icontainsregexma[il1]{1}[ -]?box.*quo
regex.icontainsregexma[il1]{2}[ -]?box.*fu[il1]
regex.icontainsregexma[il1]{2}box.*[il1]{2}mit
regex.icontainsregexma[il1]{2}box stor
regex.icontainsregexmail on.?hold
regex.icontainsregexmail.*box.*migration
regex.icontainsregexmail.*de-?activat
regex.icontainsregexmail.update.required
regex.icontainsregexmails.*pending
regex.icontainsregexmessages.*pending
regex.icontainsregexmissed.*shipping.*notification
regex.icontainsregexmissed.shipment.notification
regex.icontainsregexmust.update.your.account
regex.icontainsregexnew [sl][io]g?[nig][ -]?in from
regex.icontainsregexnew voice ?-?mail
regex.icontainsregexnotifications.*pending
regex.icontainsregexoffice.*3.*6.*5.*suspend
regex.icontainsregexoffice365
regex.icontainsregexon google docs with you
regex.icontainsregexonline doc
regex.icontainsregexpassword.*compromised
regex.icontainsregexperiodic maintenance
regex.icontainsregexpotential(ly)? unauthorized
regex.icontainsregexrefund not approved
regex.icontainsregexreport
regex.icontainsregexrevised.*policy
regex.icontainsregexscam
regex.icontainsregexscanned.?invoice
regex.icontainsregexsecured?.update
regex.icontainsregexsecurity breach
regex.icontainsregexsecurlty
regex.icontainsregexsigned.*delivery
regex.icontainsregexstatement is ready
regex.icontainsregexstatus of your .{314}? ?delivery
regex.icontainsregexsusp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
regex.icontainsregexsuspicious.*sign.*[io]n
regex.icontainsregexsuspicious.activit
regex.icontainsregextemporar(il)?y deactivate
regex.icontainsregextemporar[il1]{2}y disab[li]ed
regex.icontainsregextemporarily.*lock
regex.icontainsregexun-?usua[li].activity
regex.icontainsregexunable.*deliver
regex.icontainsregexunauthorized.*activit
regex.icontainsregexunauthorized.device
regex.icontainsregexundelivered message
regex.icontainsregexunread.*doc
regex.icontainsregexunusual.activity
regex.icontainsregexupgrade.*account
regex.icontainsregexupgrade.notice
regex.icontainsregexurgent message
regex.icontainsregexurgent.verification
regex.icontainsregexv[il1]o[li1]at[il1]on security
regex.icontainsregexva[il1]{1}date.*ma[il1]{2}[ -]?box
regex.icontainsregexverification ?-?require
regex.icontainsregexverification( )?-?need
regex.icontainsregexverify.your?.account
regex.icontainsregexweb ?-?ma[il1]{2}
regex.icontainsregexweb[ -]?ma[il1]{2}
regex.icontainsregexwill.be.suspended
regex.icontainsregexyour (customer )?account .as
regex.icontainsregexyour.office.365
regex.icontainsregexyour.online.access
regex.icontainsregexAdmin
regex.icontainsregexAdministrator
regex.icontainsregexAlert
regex.icontainsregexAssistant
regex.icontainsregexBilling
regex.icontainsregexBenefits
regex.icontainsregexBonus
regex.icontainsregexCEO
regex.icontainsregexCFO
regex.icontainsregexCIO
regex.icontainsregexCTO
regex.icontainsregexChairman
regex.icontainsregexClaim
regex.icontainsregexConfirm
regex.icontainsregexCritical
regex.icontainsregexCustomer Service
regex.icontainsregexDeal
regex.icontainsregexDiscount
regex.icontainsregexDirector
regex.icontainsregexExclusive
regex.icontainsregexExecutive
regex.icontainsregexFax
regex.icontainsregexFree
regex.icontainsregexGift
regex.icontainsregex/bHR/b
regex.icontainsregexHelpdesk
regex.icontainsregexHuman Resources
regex.icontainsregexImmediate
regex.icontainsregexImportant
regex.icontainsregexInfo
regex.icontainsregexInformation
regex.icontainsregexInvoice
regex.icontainsregex\bIT\b
regex.icontainsregexLegal
regex.icontainsregexLottery
regex.icontainsregexManagement
regex.icontainsregexManager
regex.icontainsregexMember Services
regex.icontainsregexNotification
regex.icontainsregexOffer
regex.icontainsregexOperations
regex.icontainsregexOrder
regex.icontainsregexPartner
regex.icontainsregexPayment
regex.icontainsregexPayroll
regex.icontainsregexPresident
regex.icontainsregexPremium
regex.icontainsregexPrize
regex.icontainsregexReceipt
regex.icontainsregexRefund
regex.icontainsregexRegistrar
regex.icontainsregexRequired
regex.icontainsregexReward
regex.icontainsregexSales
regex.icontainsregexSecretary
regex.icontainsregexSecurity
regex.icontainsregexService
regex.icontainsregexSignature
regex.icontainsregexSSA
regex.icontainsregexStorage
regex.icontainsregexSupport
regex.icontainsregexSweepstakes
regex.icontainsregexSystem
regex.icontainsregexTax
regex.icontainsregexTech Support
regex.icontainsregexUpdate
regex.icontainsregexUpgrade
regex.icontainsregexUrgent
regex.icontainsregexValidate
regex.icontainsregexVerify
regex.icontainsregexVIP
regex.icontainsregexWebmaster
regex.icontainsregexWinner
strings.ends_withsuffix.exe
strings.icontainssubstringcloudflare
strings.icontainssubstringhttps://challenges.cloudflare.com/turnstile/
strings.ilikesubstring*error code*
strings.icontainssubstringutm_source=errorcode
regex.icontainsregexcookie.{0,50}Cloudflare
beta.scan_qr(file.message_screenshot()).items[].typeequalsurl