Image as content with a link to an open redirect

calendar May 26, 2026  ยท
Share on: linkedin copy

Body contains little, no, or only disclaimer text, an image, and a link to an open redirect.

Sublime rule (View on GitHub)

 1name: "Image as content with a link to an open redirect"
 2description: "Body contains little, no, or only disclaimer text, an image, and a link to an open redirect."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 3
 8  and 0 < (length(attachments)) < 3
 9  and all(attachments, (.file_type in $file_types_images))
10  and all(attachments, (.size > 10000))
11  // image is in body
12  and strings.icontains(body.html.raw, 'src="cid')
13  // sender domain matches no body domains
14  and all(body.links,
15          .href_url.domain.root_domain != sender.email.domain.root_domain
16  )
17  and (
18    // body text is very short
19    (
20      0 <= (length(body.current_thread.text)) < 10
21      or body.current_thread.text is null
22    )
23    or (
24      length(body.current_thread.text) < 900
25      // or body is most likely all warning banner (text contains the sender and common warning banner language)
26      and (
27        (
28          strings.contains(body.current_thread.text, sender.email.email)
29          and strings.contains(body.current_thread.text, 'caution')
30        )
31        or regex.icontains(body.current_thread.text,
32                           "intended recipient's use only|external email|sent from outside|you don't often|confidential"
33        )
34      )
35    )
36  )
37  and (
38    any(body.links,
39        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
40        and .href_url.domain.root_domain not in $high_trust_sender_root_domains
41    )
42    or any(body.links,
43           .href_url.domain.root_domain == 'sng.link'
44           and strings.ilike(.href_url.query_params, "*fallback_redirect*")
45    )
46  )
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )  
55attack_types:
56  - "Credential Phishing"
57  - "Malware/Ransomware"
58tactics_and_techniques:
59  - "Evasion"
60  - "Image as content"
61  - "Open redirect"
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "HTML analysis"
66  - "URL analysis"
67id: "f5cec36b-76ea-5cd6-958b-74f819d73a47"
to-top