Link: URL scheme obfuscation via split HTML anchors

 1name: "Link: URL scheme obfuscation via split HTML anchors"
 2description: |
 3  Detects URLs intentionally split across multiple adjacent HTML anchor tags to evade URL analysis and detection systems.
 4  This sophisticated evasion technique breaks the URL scheme (http/https) across separate anchor elements,
 5  rendering as: <a>h</a><a>ttp://malicious.com</a>
 6
 7  The technique bypasses many security tools that expect complete, well-formed URLs while displaying a
 8  seemingly normal link to end users. This pattern is strongly associated with credential phishing and
 9  compromised email accounts.
10
11  References:
12  - Observed in wild credential phishing campaigns (2024-2025)
13  - Evades traditional URL extraction and analysis tools  
14type: "rule"
15severity: "high"
16source: |
17  type.inbound
18  and length(body.current_thread.links) == 2
19  and length(filter(html.xpath(body.html, "//a").nodes,
20        .display_text == "h"
21        and any(.links, .href_url.scheme in ("http", "https"))
22  )) == 1
23  and length(filter(html.xpath(body.html, "//a").nodes,
24        (
25          strings.starts_with(.display_text, "ttp://")
26          or strings.starts_with(.display_text, "ttps://")
27        )
28        and any(.links, .href_url.scheme in ("http", "https"))
29  )) == 1  
30
31tags:
32  - "Attack surface reduction"
33attack_types:
34  - "Credential Phishing"
35  - "BEC/Fraud"
36tactics_and_techniques:
37  - "Evasion"
38  - "HTML injection"
39  - "Social engineering"
40detection_methods:
41  - "Content analysis"
42  - "HTML analysis"
43  - "URL analysis"
44id: "10375948-f8dd-542c-bd58-e258ef82076d"