From 70e2cf0e564624b7e35f6225b654d2ecd8a5fa37 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Wed, 21 May 2025 11:55:50 -0700 Subject: [PATCH 01/10] Create monday_infra_abuse.yml --- detection-rules/monday_infra_abuse.yml | 113 +++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 detection-rules/monday_infra_abuse.yml diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml new file mode 100644 index 00000000000..7057216b776 --- /dev/null +++ b/detection-rules/monday_infra_abuse.yml @@ -0,0 +1,113 @@ +name: "Monday.com Link Infrastructure Abuse" +description: "Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC." +type: "rule" +severity: "high" +source: | + type.inbound + and ( + ( + length(body.links) < 15 + and any(body.links, .href_url.domain.domain == "trackingservice.monday.com") + ) + or ( + length(attachments) <= 3 + and ( + any(attachments, + (.file_type in $file_types_images or .file_type == "pdf") + and any(file.explode(.), + .scan.qr.type is not null + and .scan.qr.url.domain.domain == "trackingservice.monday.com" + // exclude images taken with mobile cameras and screenshots from android + and not any(.scan.exiftool.fields, + .key == "Model" + or ( + .key == "Software" + and strings.starts_with(.value, "Android") + ) + ) + // exclude images taken with mobile cameras and screenshots from Apple + and not any(.scan.exiftool.fields, + .key == "DeviceManufacturer" + and .value == "Apple Computer Inc." + ) + ) + ) + or ( + length(attachments) == 0 + and any(file.explode(beta.message_screenshot()), + .scan.exiftool.image_height < 2000 + and .scan.exiftool.image_width < 2000 + and .scan.qr.type is not null + and .scan.qr.url.domain.domain == "trackingservice.monday.com" + ) + ) + ) + ) + or ( + length(attachments) <= 3 + and ( + any(attachments, + ( + .file_type in ("pdf") + or .file_extension in ("pdf", "eml") + or .file_extension in $file_extensions_macros + or .content_type in ("message/rfc822") + ) + and any(file.explode(.), + any(.scan.url.urls, + .domain.domain == "trackingservice.monday.com" + ) + ) + ) + ) + ) + ) + and not ( + any(headers.domains, strings.ends_with(.domain, "mail.monday.com")) + or ( + headers.auth_summary.dmarc.details.from.root_domain == "monday.com" + and headers.auth_summary.spf.pass + and headers.auth_summary.dmarc.pass + ) + ) + // negating legit replies + and not ( + ( + strings.istarts_with(subject.subject, "RE:") + or strings.istarts_with(subject.subject, "FW:") + or strings.istarts_with(subject.subject, "FWD:") + or strings.istarts_with(subject.subject, "Automatic reply:") + ) + and ( + length(headers.references) > 0 + and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + and profile.by_sender_email().prevalence in ("new", "outlier", "rare") + + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" + - "QR code" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "QR code analysis" + - "Sender analysis" + - "URL analysis" From af107e7ee038c5dbe35acc1776beaf47f773ddf6 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 21 May 2025 19:00:48 +0000 Subject: [PATCH 02/10] Auto add rule ID --- detection-rules/monday_infra_abuse.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 7057216b776..81ebb35bc47 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -111,3 +111,4 @@ detection_methods: - "QR code analysis" - "Sender analysis" - "URL analysis" +id: "a346e3b1-603e-5ef0-8547-d40ba4282352" From 40404329a71cbeda8e3a3f380a9855fa197f7ab7 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Fri, 5 Sep 2025 15:59:42 -0700 Subject: [PATCH 03/10] Update monday_infra_abuse.yml --- detection-rules/monday_infra_abuse.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 81ebb35bc47..154a590288c 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -86,17 +86,16 @@ source: | // negate highly trusted sender domains unless they fail DMARC authentication and ( ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and ( - any(distinct(headers.hops, .authentication_results.dmarc is not null), - strings.ilike(.authentication_results.dmarc, "*fail") - ) + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains - ) - and profile.by_sender_email().prevalence in ("new", "outlier", "rare") - + and profile.by_sender().prevalence in ("new", "outlier", "rare") + // salesforce has been abused to send phishing campaigns leveraging monday.com infrastructure abuse + or sender.email.domain.root_domain == "salesforce.com" + ) attack_types: - "Credential Phishing" From 91653899fc635eff177c7214d7f818d22aa6d21c Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Fri, 5 Sep 2025 16:02:01 -0700 Subject: [PATCH 04/10] Update monday_infra_abuse.yml --- detection-rules/monday_infra_abuse.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 154a590288c..99b9ec87051 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -110,4 +110,3 @@ detection_methods: - "QR code analysis" - "Sender analysis" - "URL analysis" -id: "a346e3b1-603e-5ef0-8547-d40ba4282352" From 92a010b75c4cffceb833efac1fd9ec5d28d3853c Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 5 Sep 2025 23:03:16 +0000 Subject: [PATCH 05/10] Auto add rule ID --- detection-rules/monday_infra_abuse.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 99b9ec87051..154a590288c 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -110,3 +110,4 @@ detection_methods: - "QR code analysis" - "Sender analysis" - "URL analysis" +id: "a346e3b1-603e-5ef0-8547-d40ba4282352" From 4a9e0030cd39d5c9988ce1349c7934792964ca1e Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Fri, 5 Sep 2025 16:09:20 -0700 Subject: [PATCH 06/10] Update monday_infra_abuse.yml --- detection-rules/monday_infra_abuse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 154a590288c..3381c8c0c50 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -1,4 +1,4 @@ -name: "Monday.com Link Infrastructure Abuse" +name: "Monday.com link infrastructure abuse" description: "Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC." type: "rule" severity: "high" From f873f439f04c45ebce08faa24894811b385cdc64 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Thu, 11 Sep 2025 18:14:42 -0700 Subject: [PATCH 07/10] Update monday_infra_abuse.yml --- detection-rules/monday_infra_abuse.yml | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 3381c8c0c50..8e0d902089a 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -83,16 +83,34 @@ source: | and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) ) ) + // negate graymail and newsletters with a benign NLU intent + and not ( + any(ml.nlu_classifier(body.current_thread.text).topics, + .name in~ ( + "Advertising and Promotions", + "B2B Cold Outreach", + "Newsletters and Digests", + "Events and Webinars" + ) + and .confidence == "high" + ) + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication and ( ( ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains + and profile.by_sender().prevalence in ("new", "outlier", "rare") ) - and profile.by_sender().prevalence in ("new", "outlier", "rare") // salesforce has been abused to send phishing campaigns leveraging monday.com infrastructure abuse or sender.email.domain.root_domain == "salesforce.com" ) From 52f895e39b5ef45ae6f8a17ee71a3a90f16c1e96 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sat, 18 Oct 2025 08:25:50 -0500 Subject: [PATCH 08/10] Update monday_infra_abuse.yml use monday_tracker url decoder unnest the or statements that use different attachment length logic to be their own --- detection-rules/monday_infra_abuse.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 8e0d902089a..909737f7b5d 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -7,7 +7,7 @@ source: | and ( ( length(body.links) < 15 - and any(body.links, .href_url.domain.domain == "trackingservice.monday.com") + and any(body.links, 'monday_tracker' in .href_url.rewrite.encoders) ) or ( length(attachments) <= 3 @@ -32,15 +32,15 @@ source: | ) ) ) - or ( - length(attachments) == 0 - and any(file.explode(beta.message_screenshot()), - .scan.exiftool.image_height < 2000 - and .scan.exiftool.image_width < 2000 - and .scan.qr.type is not null - and .scan.qr.url.domain.domain == "trackingservice.monday.com" - ) - ) + ) + ) + or ( + length(attachments) == 0 + and any(file.explode(beta.message_screenshot()), + .scan.exiftool.image_height < 2000 + and .scan.exiftool.image_width < 2000 + and .scan.qr.type is not null + and .scan.qr.url.domain.domain == "trackingservice.monday.com" ) ) or ( From 3cc173163551cfdc6548886d4380adf9ffc0c010 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sat, 18 Oct 2025 08:33:02 -0500 Subject: [PATCH 09/10] rewrite to use beta functions --- detection-rules/monday_infra_abuse.yml | 61 ++++++++++++++++---------- 1 file changed, 37 insertions(+), 24 deletions(-) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index 909737f7b5d..e88e97a8edf 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -14,33 +14,47 @@ source: | and ( any(attachments, (.file_type in $file_types_images or .file_type == "pdf") - and any(file.explode(.), - .scan.qr.type is not null - and .scan.qr.url.domain.domain == "trackingservice.monday.com" - // exclude images taken with mobile cameras and screenshots from android - and not any(.scan.exiftool.fields, - .key == "Model" - or ( - .key == "Software" - and strings.starts_with(.value, "Android") - ) - ) - // exclude images taken with mobile cameras and screenshots from Apple - and not any(.scan.exiftool.fields, - .key == "DeviceManufacturer" - and .value == "Apple Computer Inc." - ) + // + // This rule makes use of a beta feature and is subject to change without notice + // using the beta feature in custom rules is not suggested until it has been formally released + // + and any(beta.scan_qr(.).items, + .type is not null + and 'monday_tracker' in .url.rewrite.encoders + ) + // + // This rule makes use of a beta feature and is subject to change without notice + // using the beta feature in custom rules is not suggested until it has been formally released + // + // exclude images taken with mobile cameras and screenshots from android + and not any(beta.parse_exif(.).fields, + .key == "Model" + or ( + .key == "Software" + and strings.starts_with(.value, "Android") + ) + ) + // exclude images taken with mobile cameras and screenshots from Apple + and not any(beta.parse_exif(.).fields, + .key == "DeviceManufacturer" + and .value == "Apple Computer Inc." ) ) ) ) or ( length(attachments) == 0 - and any(file.explode(beta.message_screenshot()), - .scan.exiftool.image_height < 2000 - and .scan.exiftool.image_width < 2000 - and .scan.qr.type is not null - and .scan.qr.url.domain.domain == "trackingservice.monday.com" + and ( + // + // This rule makes use of a beta feature and is subject to change without notice + // using the beta feature in custom rules is not suggested until it has been formally released + // + beta.parse_exif(file.message_screenshot()).image_height < 2000 + and beta.parse_exif(file.message_screenshot()).image_width < 2000 + and beta.scan_qr(file.message_screenshot()).found + and any(beta.scan_qr(file.message_screenshot()).items, + .type is not null and 'monday_tracker' in .url.rewrite.encoders + ) ) ) or ( @@ -55,7 +69,7 @@ source: | ) and any(file.explode(.), any(.scan.url.urls, - .domain.domain == "trackingservice.monday.com" + 'monday_tracker' in .rewrite.encoders ) ) ) @@ -113,8 +127,7 @@ source: | ) // salesforce has been abused to send phishing campaigns leveraging monday.com infrastructure abuse or sender.email.domain.root_domain == "salesforce.com" - ) - + ) attack_types: - "Credential Phishing" tactics_and_techniques: From c7f250e64c1fb87075edf8ed83650db618d0d4ce Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Mon, 3 Nov 2025 17:45:08 -0800 Subject: [PATCH 10/10] Update detection-rules/monday_infra_abuse.yml Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> --- detection-rules/monday_infra_abuse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/monday_infra_abuse.yml b/detection-rules/monday_infra_abuse.yml index e88e97a8edf..c56103e688e 100644 --- a/detection-rules/monday_infra_abuse.yml +++ b/detection-rules/monday_infra_abuse.yml @@ -1,4 +1,4 @@ -name: "Monday.com link infrastructure abuse" +name: "Service abuse: Monday.com infrastructure with phishing intent" description: "Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC." type: "rule" severity: "high"