Link: HTML file with suspicious binary fragment ending pattern

calendar Jan 29, 2026  ·
Share on: linkedin copy

Detects links to HTML files containing fragments with a suspicious pattern of alphanumeric characters followed by a 5-digit binary sequence, commonly used in malicious URL structures.

Sublime rule (View on GitHub)

 1name: "Link: HTML file with suspicious binary fragment ending pattern"
 2description: "Detects links to HTML files containing fragments with a suspicious pattern of alphanumeric characters followed by a 5-digit binary sequence, commonly used in malicious URL structures."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          strings.ends_with(.href_url.path, '.html')
 9          and regex.contains(.href_url.fragment, '\-[a-z0-9]+[01]{5}$')
10  )  
11attack_types:
12  - "Credential Phishing"
13tactics_and_techniques:
14  - "Evasion"
15detection_methods:
16  - "URL analysis"
17id: "dc5e3700-1f29-5fed-8378-38631e0ceea1"
to-top