← Back to Explore
sublimehighRule
Attachment: PDF with multistage landing - ClickUp abuse
Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages.
Detection Query
type.inbound
and length(attachments) == 1
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
.depth == 0
and length(.scan.url.urls) == 1
and any(.scan.url.urls,
.domain.domain == "doc.clickup.com"
and (
// landing page has been removed
strings.istarts_with(ml.link_analysis(.).final_dom.display_text,
'This page is currently unavailable'
)
// inspection of links within the doc.clickup.com
or any(filter(ml.link_analysis(.).final_dom.links,
.href_url.domain.root_domain != 'clickup.com'
and .href_url.domain.root_domain not in $org_domains
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
// or the page has been taken down
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(.,
mode="aggressive"
).redirect_history
) > 0
and ml.link_analysis(.,
mode="aggressive"
).effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: PDF with multistage landing - ClickUp abuse"
description: "Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages."
type: "rule"
severity: "high"
source: |
type.inbound
and length(attachments) == 1
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
.depth == 0
and length(.scan.url.urls) == 1
and any(.scan.url.urls,
.domain.domain == "doc.clickup.com"
and (
// landing page has been removed
strings.istarts_with(ml.link_analysis(.).final_dom.display_text,
'This page is currently unavailable'
)
// inspection of links within the doc.clickup.com
or any(filter(ml.link_analysis(.).final_dom.links,
.href_url.domain.root_domain != 'clickup.com'
and .href_url.domain.root_domain not in $org_domains
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
// or the page has been taken down
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
and (
// and when visiting those links, are phishing
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
// hit a captcha page
or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
// or the page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(.,
mode="aggressive"
).redirect_history
) > 0
and ml.link_analysis(.,
mode="aggressive"
).effective_url.domain.root_domain in $tranco_10k
)
)
)
)
)
)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free file host"
- "Free subdomain host"
- "PDF"
- "Social engineering"
detection_methods:
- "File analysis"
- "URL analysis"
- "Whois"
id: "0dc40316-03b6-55a2-a5fe-81592ccf5ffb"