Link: Excessive URL rewrite encoders

calendar Jan 21, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters.

Sublime rule (View on GitHub)

 1name: "Link: Excessive URL rewrite encoders"
 2description: "Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          (
 9            // 4 or more encoders but they are all distinct
10            length(.href_url.rewrite.encoders) >= 4
11            and length(distinct(.href_url.rewrite.encoders)) >= 4
12          )
13  )  
14tags:
15  - "Attack surface reduction"
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Encryption"
21  - "Evasion"
22detection_methods:
23  - "URL analysis"
24  - "Content analysis"
25id: "b88e53a7-9947-5c6b-bea9-d67906634655"

Related rules

to-top