Link: Mamba 2FA phishing kit

calendar Jan 28, 2026  ·
Share on: linkedin copy

Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.

Sublime rule (View on GitHub)

 1name: "Link: Mamba 2FA phishing kit"
 2description: "Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and (
 9    any(ml.nlu_classifier(body.current_thread.text).intents,
10        .name == 'cred_theft' and .confidence == 'high'
11    )
12    or (
13      length(recipients.to) == 1
14      and any(recipients.to,
15              strings.icontains(body.current_thread.text, .email.email)
16      )
17      and regex.icontains(body.current_thread.text,
18                          '(invoice|document|docusign|past due|confirm receipt)'
19      )
20    )
21    or (
22      sender.email.domain.domain == 'icloud.com'
23      and any(attachments, .file_name == 'invite.ics')
24    )
25  )
26  and any(body.links,
27          any(ml.link_analysis(., mode="aggressive").redirect_history,
28              (
29                // sv= in base64 as well as commonly observed tag
30                regex.contains(.url, '(?:(?:/?|=)c3Y9|N0123N)')
31                // &uid=USER base64 offsets
32                and (
33                  strings.contains(.url, 'JnVpZD1VU0VS')
34                  or strings.contains(.url, 'Z1aWQ9VVNFU')
35                  or strings.contains(.url, 'mdWlkPVVTRV')
36                )              
37              )
38          )
39  )  
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Evasion"
44  - "Social engineering"
45detection_methods:
46  - "URL analysis"
47id: "8d527c0f-9dc8-5d96-ac85-13f67147cc9c"
to-top