Link: Hotel booking spoofed display URL

calendar Feb 17, 2026  ·
Share on: linkedin copy

Detects messages containing links with hotel-related display URLs that either redirect to different domains or contain suspicious parameters commonly used in booking scams and fraudulent hotel reservation schemes.

Sublime rule (View on GitHub)

 1name: "Link: Hotel booking spoofed display URL"
 2description: "Detects messages containing links with hotel-related display URLs that either redirect to different domains or contain suspicious parameters commonly used in booking scams and fraudulent hotel reservation schemes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          strings.icontains(.display_url.url, 'booking.com')
 9          and not strings.icontains(.href_url.url,
10                                    .display_url.domain.root_domain
11          )
12          and .display_url.domain.root_domain != .href_url.domain.root_domain
13          and (
14            regex.icontains(.display_url.url,
15                            '(?:aid=\d{6}|label=gen\d+nr|review-bad|\b\w+\.html|expirince|hoteladmin|feedback)'
16            )
17            or .href_url.domain.root_domain == "share.google"
18            or any(body.links, network.whois(.href_url.domain).days_old < 30)
19          )
20          and .mismatched
21  )
22  and not strings.icontains(body.current_thread.text,
23                            "unsubscribe from this list"
24  )
25  and not (
26    sender.email.domain.root_domain == "booking.com"
27    and coalesce(headers.auth_summary.dmarc.pass, false)
28  )  
29attack_types:
30  - "BEC/Fraud"
31  - "Credential Phishing"
32tactics_and_techniques:
33  - "Evasion"
34  - "Social engineering"
35detection_methods:
36  - "URL analysis"
37  - "Sender analysis"
38id: "96deeec7-170e-5100-8422-5105344e21ca"
to-top