Link: Recipient email address in 'eta' parameter

calendar Jan 27, 2026  ยท
Share on: linkedin copy

Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets.

Sublime rule (View on GitHub)

 1name: "Link: Recipient email address in 'eta' parameter"
 2description: "Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(recipients.to) == 1
 8  and any(body.links,
 9          // eta is the only key
10          length(keys(.href_url.query_params_decoded)) == 1
11          and (
12            // the recpieints email domain is in the value
13            // we've seen cases where `.` in the local part are not in the value, thus we rely on domain only
14            strings.icontains(.href_url.query_params_decoded["eta"][0],
15                              recipients.to[0].email.domain.domain
16            )
17            // support base64 form as well
18            or strings.icontains(strings.decode_base64(.href_url.query_params_decoded["eta"][0]
19                                 ),
20                                 recipients.to[0].email.domain.domain
21            )
22          )
23  )  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Social engineering"
28  - "Evasion"
29detection_methods:
30  - "URL analysis"
31  - "Content analysis"
32id: "d24e42a2-f8f3-55ca-b992-246e6b901b43"
to-top