Link: GoPhish query param values

Jan 5, 2026 ·
Detects links containing a 7-character alphanumeric 'rid' (default) query parameter, or any other variant identified, commonly used in tracking and targeting systems for malicious purposes.
Sublime rule (View on GitHub)

 1name: "Link: GoPhish query param values"
 2description: "Detects links containing a 7-character alphanumeric 'rid' (default) query parameter, or any other variant identified, commonly used in tracking and targeting systems for malicious purposes."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain not in $tranco_50k
 8  // few body links
 9  and length(body.links) < 20
10  // Adding loop of different query param values
11  // https://github.com/fin3ss3g0d/evilgophish/blob/main/replace_rid.sh
12  and any(["mid", "rid"],
13          any(body.links,
14              // not a common marketing url rewriter
15              not .href_url.domain.root_domain == "vtiger.com"
16              and not strings.icontains(.href_url.url, "vtiger.com")
17              // myshopify return tracking numbers
18              and not (
19                length(.href_url.query_params_decoded["tracking_number"]) == 1
20                and length(.href_url.query_params_decoded[..]) == 1
21              )
22              // the mid value present
23              and length(.href_url.query_params_decoded[..]) == 1
24              // the mid value is 7 bytes
25              and length(.href_url.query_params_decoded[..][0]) == 7
26              // contains letters and numbers
27              and regex.imatch(.href_url.query_params_decoded[..][0],
28                               '^[a-z0-9]{7}$'
29              )
30              and not regex.match(.href_url.query_params_decoded[..][0],
31                                  // not just numbers - ~0.00046% chance of being all numbers
32                                  '^[0-9]{7}$',
33                                  // not just lower case letters ~0.31% chance of all lowercase
34                                  '^[a-z]{7}$',
35                                  // not just upper case letters ~0.31% chance of being all uppercase
36                                  '^[A-Z]{7}$',
37                                  // a single letter followed by digits has ~0.00151% chance
38                                  '^[A-Za-z]\d{6}$'
39              )
40              // and not a common value observed in benign samples
41              and not .href_url.query_params_decoded[..][0] == "Emailer"
42              // .href_url.query_params_decoded is the wrong type for length
43              // so count the number of param values, and ensure it's 3 or less
44              and regex.icount(.href_url.query_params, '=[^\=]+(?:&|$)') <= 3
45          )
46  )
47  // not high trust sender domains
48  and not (
49    sender.email.domain.root_domain in $high_trust_sender_root_domains
50    and coalesce(headers.auth_summary.dmarc.pass, false)
51  )
52  and not profile.by_sender_email().any_messages_benign  
53attack_types:
54  - "Credential Phishing"
55  - "Malware/Ransomware"
56tactics_and_techniques:
57  - "Evasion"
58detection_methods:
59  - "URL analysis"
60id: "6d2b9c8a-ec51-562c-88f5-58605b1e5a6e"