Service abuse: Vimeo with external plain-text links in message

calendar Mar 6, 2026  ·
Share on: linkedin copy

Detects messages absuing Vimeo notifications about received messages that contain plain-text links redirecting to domains other than Vimeo, potentially leading users to malicious websites.

Sublime rule (View on GitHub)

 1name: "Service abuse: Vimeo with external plain-text links in message"
 2description: "Detects messages absuing Vimeo notifications about received messages that contain plain-text links redirecting to domains other than Vimeo, potentially leading users to malicious websites."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain == 'vimeo.com'
 8  and strings.ends_with(subject.base, 'sent you a message on Vimeo')
 9  and (
10    // plain-text url that does not go to vimeo
11    any(filter(body.current_thread.links, .parser == "plain"),
12        .display_url.domain.root_domain != 'vimeo.com'
13    )
14  )  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Impersonation: Brand"
19  - "Social engineering"
20detection_methods:
21  - "Sender analysis"
22  - "Content analysis"
23  - "URL analysis"
24id: "ba94ae6b-d554-55ef-a039-ad1d73b84ed0"
to-top