Link: Common hidden directory observed

calendar Jan 13, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Sublime rule (View on GitHub)

 1name: "Link: Common hidden directory observed"
 2description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
 3references:
 4  - "https://datatracker.ietf.org/doc/html/rfc8615"
 5  - "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and 0 < length(body.links) <= 10
11  and any(body.links,
12          (
13            strings.icontains(.href_url.path, "/.well-known/")
14            and (
15              // well-known with a directory behind it
16              regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
17              // or a fragment in the url
18              or .href_url.fragment is not null
19            )
20          )
21          or strings.icontains(.href_url.path, "/.js/")
22          or strings.icontains(.href_url.path, "/.env/")
23          or strings.icontains(.href_url.path, "/.git/")
24          or strings.icontains(.href_url.path, "/.svn/")
25          or strings.icontains(.href_url.path, "/.hg/")
26          or strings.icontains(.href_url.path, "/.DS_Store/")
27          or strings.icontains(.href_url.path, "/.htpasswd/")
28          or strings.icontains(.href_url.path, "/.htaccess/")
29          or strings.icontains(.href_url.path, "/.bash_history/")
30          or strings.icontains(.href_url.path, "/.bashrc/")
31          or strings.icontains(.href_url.path, "/.zshrc/")
32          or strings.icontains(.href_url.path, "/.profile/")
33  )
34  // negate highly trusted sender domains unless they fail DMARC authentication
35  and (
36    (
37      sender.email.domain.root_domain in $high_trust_sender_root_domains
38      and not headers.auth_summary.dmarc.pass
39    )
40    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
41  )  
42tags:
43 - "Attack surface reduction"
44attack_types:
45  - "Credential Phishing"
46tactics_and_techniques:
47  - "Evasion"
48detection_methods:
49  - "URL analysis"
50  - "HTML analysis"
51id: "9f316da6-821c-5fed-b967-80fc0e740626"

Related rules

to-top