EXPLORE
Sign In
← Back to Explore
sublimehighRule

Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure

Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003T1036T1027
initial-accessdefense-evasion

Detection Query

type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
        // eviltokens cloudflare workers domain struct
        (
          strings.iends_with(.href_url.domain.domain, '-account.workers.dev')
          and regex.icontains(.href_url.domain.domain,
                              '^(?:(?:page-)?adobe|calendar_invite|(?:page-)?docusign|fax|quarantine|onedrive|page-password|sharepoint|voicemail|index)-[a-z0-9]{3}\.[a-z0-9-]{3,}'
          )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure"
description: "Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(recipients.to) == 1
  and recipients.to[0].email.domain.valid
  and any(body.links,
          // eviltokens cloudflare workers domain struct
          (
            strings.iends_with(.href_url.domain.domain, '-account.workers.dev')
            and regex.icontains(.href_url.domain.domain,
                                '^(?:(?:page-)?adobe|calendar_invite|(?:page-)?docusign|fax|quarantine|onedrive|page-password|sharepoint|voicemail|index)-[a-z0-9]{3}\.[a-z0-9-]{3,}'
            )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "URL analysis"
id: "c7e2906c-1e51-5afd-93de-b79ba3dff278"