URL with Unicode U+2044 (⁄) or U+2215 (∕) characters

calendar Feb 23, 2024  ·
Share on: linkedin copy

Body of the message, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL.

Sublime rule (View on GitHub)

 1name: "URL with Unicode U+2044 (⁄) or U+2215 (∕) characters"
 2description: |
 3    Body of the message, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL.
 4type: "rule"
 5severity: "low"
 6authors:
 7  - twitter: "delivr_to"
 8references:
 9  - https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5
10source: |
11  type.inbound
12  and (
13    regex.icontains(body.plain.raw, 'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+')
14    or any(body.links,
15           regex.icontains(.href_url.url, 'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+')
16    )
17  )  
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Evasion"
22  - "Social engineering"
23detection_methods:
24  - "Content analysis"
25  - "URL analysis"
26id: "12069f5b-a774-53ba-8473-633291f71e84"
to-top