Link: Numeric IP obfuscation in URL

calendar May 28, 2026  ยท
Share on: linkedin copy

Detects inbound messages containing links where the host is a numeric-only IP representation, commonly used to bypass domain-based URL filtering.

Sublime rule (View on GitHub)

 1name: "Link: Numeric IP obfuscation in URL"
 2description: "Detects inbound messages containing links where the host is a numeric-only IP representation, commonly used to bypass domain-based URL filtering."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links, regex.icontains(.href_url.url, 'https?://[0-9]{7,12}/.+'))  
 8attack_types:
 9  - "Credential Phishing"
10  - "Malware/Ransomware"
11tactics_and_techniques:
12  - "Evasion"
13detection_methods:
14  - "URL analysis"
15id: "7d639d89-02ee-5729-8d6d-67a963fa5861"
to-top