Link: Multiple HTTP protocols in single URL

calendar Oct 30, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques.

Sublime rule (View on GitHub)

 1name: "Link: Multiple HTTP protocols in single URL"
 2description: "Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.current_thread.links) < 10
 8  and any(body.current_thread.links,
 9          .visible
10          // no ability to loop query_params_decoded, so create the non-decoded equivlent 
11          and not strings.icontains(.href_url.url, 'unsubscribe')
12          and not strings.icontains(.display_text, 'unsubscribe')
13          and any(regex.extract(.href_url.query_params,
14                                '[?&](?P<name>[^=&]+)(?:=(?P<value>[^&]*))?'
15                  ),
16  
17                  // filter down to query params that start with a url
18                  regex.contains(.named_groups['value'],
19                                 '^(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
20                  )
21                  // the number of unique domains in the URL query param is greater or equal to three
22                  and length(distinct(map(filter(regex.iextract(.named_groups['value'],
23                                                         '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)(?P<domain>[^/\s&%]+)'
24                                          ),
25                                          // sometimes URLs have // and produce entries we want to skip
26                                          // so ensure it's a valid domain first
27                                          strings.parse_domain(.named_groups['domain']).error is null
28                                          and strings.parse_domain(.named_groups['domain']).valid
29                                          // remove domain that are the same as the sender root domain
30                                          and strings.parse_domain(.named_groups['domain']).root_domain != sender.email.domain.root_domain
31                                      ),
32                                      // return just the root domian
33                                      strings.parse_domain(.named_groups['domain']).root_domain
34                             ), .)
35                  ) >= 3
36  
37                  // there are three or more total URLs in that query param
38                  and regex.count(.named_groups['value'],
39                                  '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
40                  ) >= 3
41          )
42  )  
43
44tags:
45 - "Attack surface reduction"
46attack_types:
47  - "Credential Phishing"
48  - "Malware/Ransomware"
49tactics_and_techniques:
50  - "Evasion"
51detection_methods:
52  - "Content analysis"
53  - "URL analysis"
54id: "92f9d241-ebd2-53b8-9c67-6f9ec3e263b8"

Related rules

to-top