← Back to Explore
sublimemediumRule
Suspicious Links to Cloudflare R2 and Edge Services
Detects links to Cloudflare R2 storage buckets, Pages, and Workers domains from unsolicited or previously malicious senders who are not on a trusted sender list or have failed DMARC authentication.
Detection Query
type.inbound
and any(body.links,
// Check root domain first
.href_url.domain.root_domain in ("r2.dev", "pages.dev", "workers.dev")
// Check the specific pub-{hex}.r2.dev subdomain pattern only for r2.dev
)
// negate emails with unsubscribe links
and not any(body.links,
strings.icontains(.href_url.url, "unsubscribe")
or strings.icontains(.display_text, "unsubscribe")
)
// negate bulk mailer domains
and not any(body.links,
.href_url.domain.root_domain in $bulk_mailer_url_root_domains
)
and not (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Educational and Research",
"B2B Cold Outreach",
"Health and Wellness",
"Professional and Career Development",
"Romance",
"Sexually Explicit Messages",
"Software and App Updates",
"Acts of Violence",
"Voicemail Call and Missed Call Notifications"
)
and .confidence == "high"
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Suspicious Links to Cloudflare R2 and Edge Services"
description: "Detects links to Cloudflare R2 storage buckets, Pages, and Workers domains from unsolicited or previously malicious senders who are not on a trusted sender list or have failed DMARC authentication."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
// Check root domain first
.href_url.domain.root_domain in ("r2.dev", "pages.dev", "workers.dev")
// Check the specific pub-{hex}.r2.dev subdomain pattern only for r2.dev
)
// negate emails with unsubscribe links
and not any(body.links,
strings.icontains(.href_url.url, "unsubscribe")
or strings.icontains(.display_text, "unsubscribe")
)
// negate bulk mailer domains
and not any(body.links,
.href_url.domain.root_domain in $bulk_mailer_url_root_domains
)
and not (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Educational and Research",
"B2B Cold Outreach",
"Health and Wellness",
"Professional and Career Development",
"Romance",
"Sexually Explicit Messages",
"Software and App Updates",
"Acts of Violence",
"Voicemail Call and Missed Call Notifications"
)
and .confidence == "high"
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Callback Phishing"
- "Credential Phishing"
- "Extortion"
- "Malware/Ransomware"
- "Spam"
tactics_and_techniques:
- "Free file host"
detection_methods:
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "5dd3e5c8-7c81-5e2f-8e2b-ef21ea77bf73"