Link: Non-standard port 8443 in display URL

calendar Mar 26, 2026  ยท
Share on: linkedin copy

Detects links containing port 8443 in the display URL, which may indicate suspicious redirect or hosting infrastructure.

Sublime rule (View on GitHub)

 1name: "Link: Non-standard port 8443 in display URL"
 2description: "Detects links containing port 8443 in the display URL, which may indicate suspicious redirect or hosting infrastructure."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // no previous threads
 9    length(body.previous_threads) == 0
10    // or is a fake thread
11    or (
12      (length(headers.references) == 0 or headers.in_reply_to is null)
13      and (
14        subject.is_reply
15        or subject.is_forward
16        or length(body.previous_threads) > 0
17      )
18    )
19  )
20  and any(body.links,
21          strings.contains(.display_url.url, ':8443')
22          and network.whois(.href_url.domain).days_old <= 365
23  )
24  
25  // Negate noreply-spamdigest senders
26  and not (
27    sender.email.email == "noreply-spamdigest@google.com"
28    and headers.auth_summary.dmarc.pass
29  )  
30attack_types:
31  - "Credential Phishing"
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Evasion"
35detection_methods:
36  - "URL analysis"
37id: "11f23791-a006-5ab5-83eb-9ad816ed5b4a"
to-top