High Severity

Link: Cryptocurrency fraud with suspicious links

Labels

BEC/Fraud

Social engineering

Natural Language Understanding

Description

Detects messages containing financial communications about cryptocurrency or bitcoin with links to suspicious domains, URL shorteners, newly registered domains, or domains with known cryptocurrency fraud indicators. The rule analyzes link behavior including redirects, specific abuse patterns, and JavaScript configurations commonly used in cryptocurrency scams. Excludes legitimate cryptocurrency platforms with proper authentication.

References

No references.

Sublime Security

Created Dec 1st, 2025 • Last updated Dec 1st, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Financial Communications")
)
and strings.ilike(body.current_thread.text, "*cryptocurrency*", "*bitcoin*")
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in (
              'Advertising and Promotions',
              'Newsletters and Digests',
              'News and Current Events',
              'Legal and Compliance'
            )
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "benign" and .confidence == "high"
)
and any(body.links,
        (
          .href_url.domain.tld in $suspicious_tlds
          or .href_url.domain.root_domain in $url_shorteners
          or network.whois(.href_url.domain).days_old < 30
          // 1 distinct link domain that's not the sender domain
          or length(distinct(filter(body.links,
                                    .href_url.domain.root_domain != sender.email.domain.root_domain
                             ),
                             .href_url.domain.root_domain
                    )
          ) == 1
        )
        and (
          any(ml.link_analysis(., mode="aggressive").unique_urls_accessed,
              // known paths
              strings.ilike(.path, "/payouts/img/*", "/img/coins/*")
              // abused service to fetch coin prices
              or .domain.domain == "api.coingecko.com"
              // suspicious TLD that isn't the original link domain
              or (
                .domain.tld in $suspicious_tlds
                and .domain.root_domain != ..href_url.domain.root_domain
              )
          )
          or any(ml.link_analysis(., mode="aggressive").redirect_history,
                 // traversed a domain that is not the body link domain OR the effective domain
                 .domain.root_domain != ..href_url.domain.root_domain
                 and .domain.root_domain != ml.link_analysis(.,
                                                             mode="aggressive"
                 ).effective_url.domain.root_domain
          )
          // locate and extract the configuration on the page
          or (
            length(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
                              '//script/text()'
                   ).nodes
            ) == 1
            and any(html.xpath(ml.link_analysis(., mode="aggressive").final_dom,
                               '//script'
                    ).nodes,
                    any(file.explode(.),
                        length(filter(.scan.javascript.identifiers,
                                      strings.ilike(., "pay*")
                               )
                        ) == 27
                        or any(.scan.javascript.strings,
                               strings.icontains(., "pay.php")
                        )
                    )
            )
          )
        )
)
and not (
  sender.email.domain.root_domain in (
    "gemini.com",
    "ledger.com",
    "binance.com",
    "trezor.io",
    "kraken.com",
    "solana.com",
    "metamask.com",
    "ethereum.org",
    "bloomberg.com"
  )
  and headers.auth_summary.dmarc.pass
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.