Link: Common hidden directory observed

calendar Feb 3, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Sublime rule (View on GitHub)

 1name: "Link: Common hidden directory observed"
 2description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
 3references:
 4  - "https://datatracker.ietf.org/doc/html/rfc8615"
 5  - "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and 0 < length(body.links) <= 10
11  and any(body.links,
12          (
13            strings.icontains(.href_url.path, "/.well-known/")
14            and (
15              // well-known with a directory behind it
16              (
17                regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
18                // doesn't contain anything after /pki-validation/ or contains godaddy.html after (which is their location for the validation)
19                and not regex.imatch(.href_url.path,
20                                     '/.well-known/pki-validation/(?:godaddy.html)?'
21                )
22              )
23              // or a fragment in the url
24              or .href_url.fragment is not null
25            )
26          )
27          or strings.icontains(.href_url.path, "/.js/")
28          or strings.icontains(.href_url.path, "/.env/")
29          or strings.icontains(.href_url.path, "/.git/")
30          or strings.icontains(.href_url.path, "/.svn/")
31          or strings.icontains(.href_url.path, "/.hg/")
32          or strings.icontains(.href_url.path, "/.DS_Store/")
33          or strings.icontains(.href_url.path, "/.htpasswd/")
34          or strings.icontains(.href_url.path, "/.htaccess/")
35          or strings.icontains(.href_url.path, "/.bash_history/")
36          or strings.icontains(.href_url.path, "/.bashrc/")
37          or strings.icontains(.href_url.path, "/.zshrc/")
38          or strings.icontains(.href_url.path, "/.profile/")
39          or strings.icontains(.href_url.path, "/.wp/")
40  )
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )  
49tags:
50 - "Attack surface reduction"
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Evasion"
55detection_methods:
56  - "URL analysis"
57  - "HTML analysis"
58id: "9f316da6-821c-5fed-b967-80fc0e740626"

Related rules

to-top