Link: GoPhish default rid value

calendar Nov 12, 2025  ยท
Share on: linkedin copy

Detects links containing a 7-character alphanumeric 'rid' query parameter, commonly used in tracking and targeting systems for malicious purposes.

Sublime rule (View on GitHub)

 1name: "Link: GoPhish default rid value"
 2description: "Detects links containing a 7-character alphanumeric 'rid' query parameter, commonly used in tracking and targeting systems for malicious purposes."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // few body links
 8  and length(body.links) < 20
 9  and any(body.links,
10          // not a common marketing url rewriter
11          not .href_url.domain.root_domain == "vtiger.com"
12          and not strings.icontains(.href_url.url, "vtiger.com")
13          // myshopify return tracking numbers
14          and not (
15            length(.href_url.query_params_decoded["tracking_number"]) == 1
16            and length(.href_url.query_params_decoded["rid"]) == 1
17          )
18          // the rid value present
19          and length(.href_url.query_params_decoded["rid"]) == 1
20          // the RID value is 7 bytes
21          and length(.href_url.query_params_decoded["rid"][0]) == 7
22          // contains letters and numbers
23          and regex.imatch(.href_url.query_params_decoded["rid"][0],
24                           '^[a-z0-9]{7}$'
25          )
26          and not regex.match(.href_url.query_params_decoded["rid"][0],
27                              // not just numbers - ~0.00046% chance of being all numbers
28                              '^[0-9]{7}$',
29                              // not just lower case letters ~0.31% chance of all lowercase
30                              '^[a-z]{7}$',
31                              // not just upper case letters ~0.31% chance of being all uppercase
32                              '^[A-Z]{7}$',
33                              // a single letter followed by digits has ~0.00151% chance
34                              '^[A-Za-z]\d{6}$'
35          )
36          // .href_url.query_params_decoded is the wrong type for length
37          // so count the number of param values, and ensure it's 3 or less
38          and regex.icount(.href_url.query_params, '=[^\=]+(?:&|$)') <= 3
39  )
40  // not high trust sender domains
41  and not (
42    sender.email.domain.root_domain in $high_trust_sender_root_domains
43    and headers.auth_summary.dmarc.pass
44  )
45  and not profile.by_sender_email().any_messages_benign  
46attack_types:
47  - "Credential Phishing"
48  - "Malware/Ransomware"
49tactics_and_techniques:
50  - "Evasion"
51detection_methods:
52  - "URL analysis"
53id: "6d2b9c8a-ec51-562c-88f5-58605b1e5a6e"
to-top