Link: Unsolicited email contains link leading to Tycoon URL structure

calendar Mar 10, 2026  ·
Share on: linkedin copy

Detects unsolicited messages containing links leading to specific tycoon URL patterns that include encoded email addresses or base64-encoded content in the path structure.

Sublime rule (View on GitHub)

 1name: "Link: Unsolicited email contains link leading to Tycoon URL structure"
 2description: "Detects unsolicited messages containing links leading to specific tycoon URL patterns that include encoded email addresses or base64-encoded content in the path structure."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and 0 < length(body.links) < 15
 8  and length(recipients.to) == 1
 9  and recipients.to[0].email.domain.valid
10  and any(body.links,
11          // single path
12          strings.count(ml.link_analysis(., mode="aggressive").effective_url.path,
13                        '/'
14          ) == 2
15          // tycoon url struct
16          and regex.icontains(ml.link_analysis(., mode="aggressive").effective_url.path,
17                              '\/.*[!@].*\/[$*](?:[a-zA-Z0-9.\-_]+(?:@|%40)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,3}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})|$)'
18          )
19  )
20    
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Evasion"
25  - "Social engineering"
26detection_methods:
27  - "Natural Language Understanding"
28  - "URL analysis"
29id: "90e483fa-b342-5752-a682-045395e3046b"
to-top