Link: Obfuscation via userinfo with suspicious indicators

calendar Mar 13, 2026  ·
Share on: linkedin copy

Detects URLs that use the @ symbol to hide suspicious domains or URL shorteners within the link structure, excluding legitimate email addresses and malformed mailto/telto links.

Sublime rule (View on GitHub)

 1name: "Link: Obfuscation via userinfo with suspicious indicators"
 2description: "Detects URLs that use the @ symbol to hide suspicious domains or URL shorteners within the link structure, excluding legitimate email addresses and malformed mailto/telto links."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // this checks for a likely domain in the
 9          .href_url.username is not null
10          and strings.contains(.href_url.username, '.')
11          // and coalesce(strings.parse_domain(.href_url.username).valid, false)
12          and .href_url.password is null
13          and (
14            .href_url.domain.domain in $url_shorteners
15            or .href_url.domain.root_domain in $url_shorteners
16            or .href_url.domain.domain in $free_file_hosts
17            or .href_url.domain.root_domain in $free_file_hosts
18            or .href_url.domain.domain in $free_subdomain_hosts
19            or .href_url.domain.root_domain in $free_subdomain_hosts
20            or .href_url.domain.domain in $self_service_creation_platform_domains
21            or .href_url.domain.root_domain in $self_service_creation_platform_domains
22            or .href_url.domain.tld in $suspicious_tlds
23          )
24          and not (
25            coalesce(strings.parse_email(.href_url.url).domain.valid, false)
26            and .parser == "hyperlink"
27          )
28          // we dont want to match on malformed mailto or telto links
29          and not .href_url.scheme in ('mailto', "tel")
30          and not regex.icontains(.href_url.username, '^(?:mail|tel)\s*to=')
31          and not coalesce(regex.icontains(.href_url.query_params,
32                                           '\bunsubscribe\b'
33                           ),
34                           false
35          )
36  
37          // we dont want utm urls
38          and not regex.icontains(.href_url.url,
39                                  'utm_(?:source|medium|term|campaign)='
40          )
41  )  
42attack_types:
43  - "Credential Phishing"
44  - "Malware/Ransomware"
45tactics_and_techniques:
46  - "Evasion"
47detection_methods:
48  - "URL analysis"
49  - "Content analysis"
50id: "9f9aefd1-4474-5a91-833b-d6bc00ee0b59"
to-top