Link: Base64 encoded recipient address in URL fragment with hex subdomain

calendar Jan 29, 2026  ·
Share on: linkedin copy

Detects links containing a 40-character hexadecimal subdomain with the recipient's email address base64 encoded in the URL fragment, a technique used to personalize malicious links and evade detection.

Sublime rule (View on GitHub)

 1name: "Link: Base64 encoded recipient address in URL fragment with hex subdomain"
 2description: "Detects links containing a 40-character hexadecimal subdomain with the recipient's email address base64 encoded in the URL fragment, a technique used to personalize malicious links and evade detection."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          length(.href_url.domain.subdomain) == 40
 9          and regex.match(.href_url.domain.subdomain, '^[a-f0-9]{40}')
10          and any(strings.scan_base64(.href_url.fragment),
11                  . == recipients.to[0].email.email
12          )
13  )  
14
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Evasion"
19detection_methods:
20  - "URL analysis"
21  - "Content analysis"
22id: "781e86ae-0be9-5965-8b94-8f0c9ad13854"
to-top