Link: Mamba 2FA phishing kit

calendar Nov 19, 2025  ·
Share on: linkedin copy

Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.

Sublime rule (View on GitHub)

 1name: "Link: Mamba 2FA phishing kit"
 2description: "Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and (
 9    any(ml.nlu_classifier(body.current_thread.text).intents,
10        .name == 'cred_theft' and .confidence == 'high'
11    )
12    or (
13      length(recipients.to) == 1
14      and any(recipients.to,
15              strings.icontains(body.current_thread.text, .email.email)
16      )
17      and regex.icontains(body.current_thread.text,
18                          '(invoice|document|docusign|past due|confirm receipt)'
19      )
20    )
21  )
22  and any(body.links,
23          any(ml.link_analysis(., mode="aggressive").redirect_history,
24              (
25                // sv=o365 to base64
26                strings.contains(.url, 'c3Y9bzM2NV')
27                // &uid=USER base64 offsets
28                and (
29                  strings.contains(.url, 'JnVpZD1VU0VS')
30                  or strings.contains(.url, 'Z1aWQ9VVNFU')
31                  or strings.contains(.url, 'mdWlkPVVTRV')
32                )
33              )
34          )
35  )  
36
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Evasion"
41  - "Social engineering"
42detection_methods:
43  - "URL analysis"
44id: "8d527c0f-9dc8-5d96-ac85-13f67147cc9c"
to-top