Link: Personalized URL with recipient address on commonly abused web service
Detects messages containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components, indicating targeted personalization tactics.
Sublime rule (View on GitHub)
1name: "Link: Personalized URL with recipient address on commonly abused web service"
2description: "Detects messages containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components, indicating targeted personalization tactics."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(recipients.to) == 1
8 and recipients.to[0].email.domain.valid
9 and 0 < length(body.links) < 10
10 and any(body.links,
11 .parser == "hyperlink"
12 and (
13 // the recipient email is in the url
14 (
15 strings.icontains(.href_url.path, recipients.to[0].email.email)
16 or strings.icontains(.href_url.fragment,
17 recipients.to[0].email.email
18 )
19 or any(strings.scan_base64(.href_url.path, ignore_padding=true),
20 strings.icontains(., recipients.to[0].email.email)
21 )
22 or any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
23 strings.icontains(., recipients.to[0].email.email)
24 )
25 )
26 )
27 and (
28 (
29 .href_url.domain.root_domain in $free_file_hosts
30 or .href_url.domain.domain in $free_file_hosts
31 or .href_url.domain.root_domain in $free_subdomain_hosts
32 or .href_url.domain.domain in $free_subdomain_hosts
33 or .href_url.domain.root_domain in $self_service_creation_platform_domains
34 or .href_url.domain.domain in $self_service_creation_platform_domains
35 or .href_url.domain.root_domain in $url_shorteners
36 or .href_url.domain.domain in $url_shorteners
37 or .href_url.domain.root_domain == 'sendgrid.net'
38 or (
39 .href_url.domain.tld in $suspicious_tlds
40 and not .href_url.domain.tld in ('me', 'us')
41 )
42 or network.whois(.href_url.domain).days_old < 30
43 or regex.icontains(.href_url.path,
44 '\/(?:wp-(?:admin|includes)\/|redirect)'
45 )
46 )
47 and not .href_url.domain.root_domain in ('geotab.com')
48 )
49 // the url contains #
50 and strings.contains(.href_url.url, '#')
51
52 // the url doesnt contain #? or #/
53 and not regex.contains(.href_url.url, '#[/?]')
54
55 // not sharepoint
56 and not .href_url.domain.root_domain == 'sharepoint.com'
57
58 // the url doesnt contain campaign params
59 and not regex.icontains(.href_url.url,
60 '(?:location|utm_(?:term|source|medium|content|campaign))='
61 )
62 // too many fp on typeform and no recent tp
63 and not .href_url.domain.root_domain == 'typeform.com'
64
65 // no welcome links on frame.io
66 and not (
67 .href_url.domain.domain == 'accounts.frame.io'
68 and .href_url.path == '/welcome'
69 )
70 // we dont want links with common unsubscribe paths
71 and not strings.icontains(.href_url.path, "unsubscribe")
72 )
73
74 // not mimecast email with malicious blocked url in it
75 and not (
76 subject.base == 'A message triggered content policies'
77 and strings.icontains(body.current_thread.text, 'Mimecast Services Limited')
78 )
79 and not any(ml.nlu_classifier(body.current_thread.text).intents,
80 .name == 'benign' and .confidence == 'high'
81 )
82 and (
83 (
84 sender.email.domain.root_domain in $high_trust_sender_root_domains
85 and not coalesce(headers.auth_summary.dmarc.pass, false)
86 )
87 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
88 )
89attack_types:
90 - "Credential Phishing"
91 - "Malware/Ransomware"
92tactics_and_techniques:
93 - "Free file host"
94 - "Social engineering"
95detection_methods:
96 - "URL analysis"
97 - "Header analysis"
98id: "e3b5fa90-2149-54b7-ae9a-87cda01b24a5"