← Back to Explore
sublimehighRule
Link: Cryptocurrency fraud with suspicious links
Detects messages containing financial communications about cryptocurrency or bitcoin with links to suspicious domains, URL shorteners, newly registered domains, or domains with known cryptocurrency fraud indicators. The rule analyzes link behavior including redirects, specific abuse patterns, and JavaScript configurations commonly used in cryptocurrency scams. Excludes legitimate cryptocurrency platforms with proper authentication.
Detection Query
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Financial Communications")
)
and strings.ilike(body.current_thread.text, "*cryptocurrency*", "*bitcoin*")
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
'Advertising and Promotions',
'Newsletters and Digests',
'News and Current Events',
'Legal and Compliance'
)
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
and any(body.links,
(
.href_url.domain.tld in $suspicious_tlds
or .href_url.domain.root_domain in $url_shorteners
or network.whois(.href_url.domain).days_old < 30
// 1 distinct link domain that's not the sender domain
or length(distinct(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain
)
) == 1
)
and (
any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
// known paths
strings.ilike(.path, "/payouts/img/*", "/img/coins/*")
// abused service to fetch coin prices
or .domain.domain == "api.coingecko.com"
// suspicious TLD that isn't the original link domain
or (
.domain.tld in $suspicious_tlds
and .domain.root_domain != ..href_url.domain.root_domain
)
)
or any(ml.link_analysis(., mode="aggressive").redirect_history,
// traversed a domain that is not the body link domain OR the effective domain
.domain.root_domain != ..href_url.domain.root_domain
and .domain.root_domain != ml.link_analysis(.,
mode="aggressive"
).effective_url.domain.root_domain
)
// locate and extract the configuration on the page
or (
length(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
'//script/text()'
).nodes
) == 1
and any(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
'//script'
).nodes,
any(file.explode(.),
length(filter(.scan.javascript.identifiers,
strings.ilike(., "pay*")
)
) == 27
or any(.scan.javascript.strings,
strings.icontains(., "pay.php")
)
)
)
)
)
)
and not (
sender.email.domain.root_domain in (
"gemini.com",
"ledger.com",
"binance.com",
"trezor.io",
"kraken.com",
"solana.com",
"metamask.com",
"ethereum.org",
"bloomberg.com"
)
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Cryptocurrency fraud with suspicious links"
description: "Detects messages containing financial communications about cryptocurrency or bitcoin with links to suspicious domains, URL shorteners, newly registered domains, or domains with known cryptocurrency fraud indicators. The rule analyzes link behavior including redirects, specific abuse patterns, and JavaScript configurations commonly used in cryptocurrency scams. Excludes legitimate cryptocurrency platforms with proper authentication."
type: "rule"
severity: "high"
source: |
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Financial Communications")
)
and strings.ilike(body.current_thread.text, "*cryptocurrency*", "*bitcoin*")
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
'Advertising and Promotions',
'Newsletters and Digests',
'News and Current Events',
'Legal and Compliance'
)
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
and any(body.links,
(
.href_url.domain.tld in $suspicious_tlds
or .href_url.domain.root_domain in $url_shorteners
or network.whois(.href_url.domain).days_old < 30
// 1 distinct link domain that's not the sender domain
or length(distinct(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain
)
) == 1
)
and (
any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
// known paths
strings.ilike(.path, "/payouts/img/*", "/img/coins/*")
// abused service to fetch coin prices
or .domain.domain == "api.coingecko.com"
// suspicious TLD that isn't the original link domain
or (
.domain.tld in $suspicious_tlds
and .domain.root_domain != ..href_url.domain.root_domain
)
)
or any(ml.link_analysis(., mode="aggressive").redirect_history,
// traversed a domain that is not the body link domain OR the effective domain
.domain.root_domain != ..href_url.domain.root_domain
and .domain.root_domain != ml.link_analysis(.,
mode="aggressive"
).effective_url.domain.root_domain
)
// locate and extract the configuration on the page
or (
length(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
'//script/text()'
).nodes
) == 1
and any(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
'//script'
).nodes,
any(file.explode(.),
length(filter(.scan.javascript.identifiers,
strings.ilike(., "pay*")
)
) == 27
or any(.scan.javascript.strings,
strings.icontains(., "pay.php")
)
)
)
)
)
)
and not (
sender.email.domain.root_domain in (
"gemini.com",
"ledger.com",
"binance.com",
"trezor.io",
"kraken.com",
"solana.com",
"metamask.com",
"ethereum.org",
"bloomberg.com"
)
and headers.auth_summary.dmarc.pass
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
- "Free subdomain host"
- "Scripting"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Javascript analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
- "URL screenshot"
- "Whois"
id: "d0da37ce-efa1-5a71-a14b-add6439822cc"