Link: Base64 encoded recipient address in URL fragment with subject hash

calendar Dec 11, 2025  ·
Share on: linkedin copy

Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure.

Sublime rule (View on GitHub)

 1name: "Link: Base64 encoded recipient address in URL fragment with subject hash"
 2description: "Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and any(regex.iextract(subject.subject,
 8                         '[^a-z0-9](?P<string>[a-z0-9]{32,64})(?:$|[^a-z0-9])'
 9          ),
10          any(body.links,
11              strings.contains(.href_url.fragment, ..named_groups["string"])
12              and any(strings.scan_base64(.href_url.fragment), strings.contains(., recipients.to[0].email.email))
13          )
14  )  
15
16attack_types:
17  - "Credential Phishing"
18tactics_and_techniques:
19  - "Encryption"
20  - "Evasion"
21  - "Social engineering"
22detection_methods:
23  - "Content analysis"
24  - "URL analysis"
25  - "Header analysis"
26id: "eb9694b8-f4dc-5e82-8d05-c359dbf179cc"
to-top