Medium Severity
Link: Direct POWR.io Form Builder with Suspicious Patterns
Description
Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains.
References
No references.
Sublime Security
Created May 5th, 2025 • Last updated May 5th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
(
any(filter(body.links,
(
(
.href_url.domain.root_domain == "powr.io"
and strings.icontains(.href_url.path, 'form-builder')
)
or (
(
strings.icontains(.href_url.query_params, 'powr.io')
or strings.icontains(.href_url.query_params, 'powr%2io')
or strings.icontains(.href_url.query_params, 'powr%252eio')
)
and strings.icontains(.href_url.query_params, 'form-builder')
)
)
),
// it's credphishing
ml.link_analysis(.).credphish.disposition == "phishing"
// these shouldn't show up here either
or ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
// there is a redirect, and that redirect goes to a different domain than the sender root domain
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.CONTENT=(?P<content>[^\n]+)\;\n'
),
strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
and not strings.icontains(strings.parse_json(.named_groups["content"]
)["redirectLink"],
sender.email.domain.root_domain
)
)
// use the META data to inspect the "app_owner" data
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.META=(?P<meta>[^\n]+)\;\n'
),
// the creator has been suspended or isn't active anymore
strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
// did not verify the email address
or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
// the app_owner originated from a timezone in Africa
or strings.starts_with(strings.parse_json(.named_groups["meta"])["app_owner"]["timezone"],
'Africa/'
)
// the creator domain doesn't match the sender root domain
or not strings.ends_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["email"],
sender.email.domain.root_domain
)
)
)
or any(attachments,
(.file_extension == "eml" or .content_type == "message/rfc822")
and any(filter(file.parse_eml(.).body.links,
(
(
.href_url.domain.root_domain == "powr.io"
and strings.icontains(.href_url.path,
'form-builder'
)
)
or (
(
strings.icontains(.href_url.query_params,
'powr.io'
)
or strings.icontains(.href_url.query_params,
'powr%2io'
)
or strings.icontains(.href_url.query_params,
'powr%252eio'
)
)
and strings.icontains(.href_url.query_params,
'form-builder'
)
)
)
),
// it's credphishing
ml.link_analysis(.).credphish.disposition == "phishing"
// these shouldn't show up here either
or ml.link_analysis(.).credphish.contains_login
or ml.link_analysis(.).credphish.contains_captcha
// there is a redirect, and that redirect goes to a different domain than the sender root domain
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.CONTENT=(?P<content>[^\n]+)\;\n'
),
strings.parse_json(.named_groups["content"])["afterSubmission"] == "redirect"
and strings.parse_json(.named_groups["content"])["redirectLink"] != ""
and not strings.icontains(strings.parse_json(.named_groups["content"]
)["redirectLink"],
sender.email.domain.root_domain
)
)
// the creator has been suspended
or any(regex.extract(ml.link_analysis(.).final_dom.raw,
'window\.META=(?P<meta>[^\n]+)\;\n'
),
// the creator has been suspended or isn't active anymore
strings.parse_json(.named_groups["meta"])["app_owner"]["status"] == "suspended"
or strings.parse_json(.named_groups["meta"])["app_owner"]["active"] == false
// did not verify the email address
or strings.parse_json(.named_groups["meta"])["app_owner"]["has_verified_email?"] == false
// the app_owner originated from a timezone in Africa
or strings.starts_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["timezone"],
'Africa/'
)
// the creator domain doesn't match the sender root domain
or not strings.ends_with(strings.parse_json(.named_groups["meta"]
)["app_owner"]["email"],
sender.email.domain.root_domain
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.