Link: /index.php Enclosed in Three Asterisks

calendar Jun 10, 2025  ·
Share on: linkedin copy

Detects messages containing a specific pattern of triple asterisks surrounding HTTP links that point to PHP index pages with query parameters, indicating potential malicious behavior. This specific pattern has been observed within messages leading to FakeAV/Tech Support scams.

Sublime rule (View on GitHub)

 1name: "Link: /index.php Enclosed in Three Asterisks"
 2description: "Detects messages containing a specific pattern of triple asterisks surrounding HTTP links that point to PHP index pages with query parameters, indicating potential malicious behavior. This specific pattern has been observed within messages leading to FakeAV/Tech Support scams."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.count(body.current_thread.text, '* * *') == 2
 8  and strings.contains(body.current_thread.text, ': http')
 9  and strings.contains(body.current_thread.text, '/index.php?')
10  and regex.icontains(body.current_thread.text, '\* \* \*[^\r\n]+: https?:\/\/.*\/index\.php\?[a-z0-9]+[^\r\n]+\* \* \*')  
11attack_types:
12  - "Malware/Ransomware"
13  - "Callback Phishing"
14tactics_and_techniques:
15  - "Social engineering"
16detection_methods:
17  - "Content analysis"
18  - "URL analysis"
19id: "aa4bbafc-85ac-5e40-a467-e8fc745332be"
to-top