Link: Suspicious Loom HTML file path

calendar May 6, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links to Loom HTML files, which may be used to deliver malicious content or bypass security controls through the legitimate Loom platform.

Sublime rule (View on GitHub)

 1name: "Link: Suspicious Loom HTML file path"
 2description: "Detects inbound messages containing links to Loom HTML files, which may be used to deliver malicious content or bypass security controls through the legitimate Loom platform."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          regex.imatch(.href_url.path, '/loom/[^\/]+\.html')
 9  )  
10
11attack_types:
12  - "Credential Phishing"
13tactics_and_techniques:
14  - "Impersonation: Brand"
15  - "Social engineering"
16detection_methods:
17  - "HTML analysis"
18  - "URL analysis"
19id: "bd27e7ec-1e77-5134-a572-32d642058aa5"
to-top