Link: Suspicious Family fragment parameter with encoded recipient data
Detects messages containing links with URL fragments that include 'Family' parameters containing base64 or hex encoded email addresses, which may indicate personalized malicious content targeting specific recipients.
Sublime rule (View on GitHub)
1name: "Link: Suspicious Family fragment parameter with encoded recipient data"
2description: "Detects messages containing links with URL fragments that include 'Family' parameters containing base64 or hex encoded email addresses, which may indicate personalized malicious content targeting specific recipients."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 // contains family
9 regex.icontains(.href_url.fragment, 'Fa(?:m|rn)ily=')
10 // the href_url contains a valid baes64 encoded email
11 and (
12 any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
13 strings.parse_email(.).domain.valid
14 // double base64 encoded.. yup
15 or any(strings.scan_base64(., ignore_padding=true),
16 strings.parse_email(.).domain.valid
17 )
18 )
19 or any(regex.iextract(.href_url.fragment,
20 'Fa(?:m|rn)ily=$?(?P<email_addy>[^&]+)'
21 ),
22 // plain text email addresses
23 strings.parse_email(.named_groups["email_addy"]).domain.valid
24 // observed hex encoded email address in addition to the base64 encoded ones
25 or (
26 strings.icontains(.named_groups["email_addy"], '40')
27 and strings.icontains(.named_groups["email_addy"], '2e')
28 and length(.named_groups["email_addy"]) % 2 == 0
29 )
30 // sometimes the template messes up
31 or strings.icontains(.named_groups["email_addy"],
32 'sf_base64_enc'
33 )
34 // messed up in a different way
35 or regex.icontains(.named_groups["email_addy"],
36 'Fa(?:m|rn)ily'
37 )
38 )
39 )
40 )
41attack_types:
42 - "Credential Phishing"
43tactics_and_techniques:
44 - "Evasion"
45 - "Encryption"
46 - "Social engineering"
47detection_methods:
48 - "URL analysis"
49 - "Content analysis"
50id: "b3329deb-467e-58b4-9ded-092a08f4eb8f"