Image as content with a link to an open redirect (unsolicited)

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Body contains little, no, or only disclaimer text, an image, and a link to an open redirect.

Sublime rule (View on GitHub)

 1name: "Image as content with a link to an open redirect (unsolicited)"
 2description: "Body contains little, no, or only disclaimer text, an image, and a link to an open redirect."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 3
 8  and 0 < (length(attachments)) < 3
 9  and all(attachments, (.file_type in $file_types_images))
10  and all(attachments, (.size > 10000))
11  // image is in body
12  and strings.icontains(body.html.raw, 'src="cid')
13  // sender domain matches no body domains
14  and all(body.links,
15          .href_url.domain.root_domain != sender.email.domain.root_domain
16  )
17  and (
18    // body text is very short
19    (
20      0 <= (length(body.current_thread.text)) < 10
21      or body.current_thread.text is null
22    )
23    or (
24      length(body.current_thread.text) < 900
25      // or body is most likely all warning banner (text contains the sender and common warning banner language)
26      and (
27        (
28          strings.contains(body.current_thread.text, sender.email.email)
29          and strings.contains(body.current_thread.text, 'caution')
30        )
31        or regex.icontains(body.current_thread.text,
32                           "intended recipient's use only|external email|sent from outside|you don't often|confidential"
33        )
34      )
35    )
36  )
37  and (
38    any(body.links,
39        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
40        and .href_url.domain.root_domain not in $high_trust_sender_root_domains
41    )
42    or any(body.links,
43           .href_url.domain.root_domain == 'sng.link'
44           and strings.ilike(.href_url.query_params, "*fallback_redirect*")
45    )
46  )
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )
55  and (
56    not profile.by_sender().solicited
57    or (
58      profile.by_sender().any_messages_malicious_or_spam
59      and not profile.by_sender().any_messages_benign
60    )
61  )
62  and not profile.by_sender().prevalence == "common"  
63attack_types:
64  - "Credential Phishing"
65  - "Malware/Ransomware"
66tactics_and_techniques:
67  - "Evasion"
68  - "Image as content"
69  - "Open redirect"
70  - "Social engineering"
71detection_methods:
72  - "Content analysis"
73  - "HTML analysis"
74  - "URL analysis"
75id: "f5cec36b-76ea-5cd6-958b-74f819d73a47"
to-top