Constant Contact link infrastructure abuse

calendar Oct 17, 2025  ·
Share on: linkedin copy

Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing.

Sublime rule (View on GitHub)

  1name: "Constant Contact link infrastructure abuse"
  2description: "Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(body.links) < 15
 10      and any(body.links,
 11              .href_url.domain.root_domain in (
 12                "rs6.net",
 13                "constantcontactpages.com"
 14              )
 15      )
 16    )
 17    or (
 18      length(attachments) <= 3
 19      and (
 20        any(attachments,
 21            (.file_type in $file_types_images or .file_type == "pdf")
 22            //
 23            // This rule makes use of a beta feature and is subject to change without notice
 24            // using the beta feature in custom rules is not suggested until it has been formally released
 25            //
 26            and any(beta.scan_qr(.).items,
 27                    .type is not null
 28                    and .url.domain.root_domain in (
 29                      "rs6.net",
 30                      "constantcontactpages.com"
 31                    )
 32            )
 33            //
 34            // This rule makes use of a beta feature and is subject to change without notice
 35            // using the beta feature in custom rules is not suggested until it has been formally released
 36            //
 37            // exclude images taken with mobile cameras and screenshots from android
 38            and not any(beta.parse_exif(.).fields,
 39                        .key == "Model"
 40                        or (
 41                          .key == "Software"
 42                          and strings.starts_with(.value, "Android")
 43                        )
 44            )
 45            // exclude images taken with mobile cameras and screenshots from Apple
 46            and not any(beta.parse_exif(.).fields,
 47                        .key == "DeviceManufacturer"
 48                        and .value == "Apple Computer Inc."
 49            )
 50        )
 51        or (
 52          length(attachments) == 0
 53          and (
 54            //
 55            // This rule makes use of a beta feature and is subject to change without notice
 56            // using the beta feature in custom rules is not suggested until it has been formally released
 57            //
 58            beta.parse_exif(file.message_screenshot()).image_height < 2000
 59            and beta.parse_exif(file.message_screenshot()).image_width < 2000
 60            and beta.scan_qr(file.message_screenshot()).found
 61            and any(beta.scan_qr(file.message_screenshot()).items,
 62                    .type is not null and .url.domain.root_domain == "rs6.net"
 63            )
 64          )
 65        )
 66      )
 67    )
 68  )
 69  and not (
 70    any(headers.hops,
 71        strings.icontains(.authentication_results.spf_details.designator,
 72                          "constantcontact.com"
 73        )
 74    )
 75    or any(headers.hops,
 76           strings.icontains(.received_spf.designator, "constantcontact.com")
 77    )
 78    or (
 79      (
 80        any(headers.hops,
 81            any(.authentication_results.dkim_details,
 82                .domain == "auth.ccsend.com"
 83            )
 84        )
 85      )
 86      and headers.auth_summary.dmarc.pass
 87    )
 88    or any(headers.references, strings.iends_with(., "ccsend.com"))
 89  )
 90  // negating legit replies
 91  and not (
 92    (
 93      strings.istarts_with(subject.subject, "RE:")
 94      or strings.istarts_with(subject.subject, "FW:")
 95      or strings.istarts_with(subject.subject, "FWD:")
 96      or strings.istarts_with(subject.subject, "Automatic reply:")
 97      or regex.imatch(subject.subject,
 98                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
 99      )
100    )
101    and (
102      length(headers.references) > 0
103      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
104    )
105  )
106  // negate highly trusted sender domains unless they fail DMARC authentication
107  and (
108    (
109      sender.email.domain.root_domain in $high_trust_sender_root_domains
110      and not headers.auth_summary.dmarc.pass
111    )
112    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
113  )
114  and profile.by_sender().prevalence in ("new", "outlier", "rare")  
115
116attack_types:
117  - "Credential Phishing"
118tactics_and_techniques:
119  - "Free email provider"
120  - "Open redirect"
121  - "Social engineering"
122detection_methods:
123  - "Content analysis"
124  - "Header analysis"
125  - "QR code analysis"
126  - "Sender analysis"
127id: "8c5e8e4c-c610-5ece-b82a-214c637cba09"
to-top