Link: Suspicious file retrieval with recipient targeting

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links with '/getfile/filefor' URL paths that include the recipient's email address, indicating potential targeted file delivery or credential harvesting.

Sublime rule (View on GitHub)

 1name: "Link: Suspicious file retrieval with recipient targeting"
 2description: "Detects inbound messages containing links with '/getfile/filefor' URL paths that include the recipient's email address, indicating potential targeted file delivery or credential harvesting."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // observed url path
 9          strings.icontains(.href_url.path, '/getfile/filefor')
10          // with email
11          and strings.icontains(.href_url.path, recipients.to[0].email.email)
12  )  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Social engineering"
17detection_methods:
18  - "URL analysis"
19id: "4acdc184-3fcc-558c-8364-2fe74f413ca3"
to-top