Link: Referrer Anonymization Service From Untrusted Sender

calendar Mar 12, 2025  ·
Share on: linkedin copy

Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.

Sublime rule (View on GitHub)

 1name: "Link: Referrer Anonymization Service From Untrusted Sender"
 2description: "Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // href.li
 9          (
10            .href_url.domain.root_domain == "href.li"
11            and .href_url.query_params is not null
12          )
13          // deref-mail 
14          or (
15            strings.istarts_with(.href_url.path, '/mail/client/')
16            and strings.icontains(.href_url.query_params, 'redirectUrl=')
17            // this seems to be a common behavior for gmx users
18            and not sender.email.domain.domain in ("gmx.de", "gmx.net")
19            and not (
20              sender.email.domain.domain == "mail.com"
21              and any(headers.domains, .root_domain == "mail.com")
22            )
23            // remove any links that include org domains
24            and not any($org_domains,
25                        strings.icontains(..href_url.query_params, .)
26            )
27            // remove any links that are to common "signature" sites
28            // this does open up some FNs due to abuse of redirects of these sites
29            // if FNs are obsevered, we should tighten the logic of these to account
30            // for the redirect behavior
31            and not any(['facebook.com', 'x.com', 'twitter.com', 'instagram.com'],
32                        strings.icontains(..href_url.query_params, .)
33            )
34  
35            // remove links which contain the sender domain if the sender doesn't have any malicious messages
36            and not (
37              strings.icontains(.href_url.query_params,
38                                sender.email.domain.root_domain
39              )
40              and not profile.by_sender_domain().any_messages_malicious_or_spam
41            )
42          )
43  )
44  // apply sender profile elements specific to the sender_email
45  and (
46    profile.by_sender_email().prevalence == "new"
47  
48    // if they aren't new, there are some condition that still result in a match
49    or (
50      // and have been flagged previous
51      profile.by_sender_email().any_messages_malicious_or_spam
52      // without any false positives
53      and not profile.by_sender_email().any_false_positives
54    )
55  )
56  // negate solicited senders
57  and not profile.by_sender_email().solicited
58  // negate highly trusted sender domains unless they fail DMARC authentication
59  and (
60    (
61      sender.email.domain.root_domain in $high_trust_sender_root_domains
62      and not headers.auth_summary.dmarc.pass
63    )
64    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
65  )  
66attack_types:
67  - "Credential Phishing"
68tactics_and_techniques:
69  - "Open redirect"
70  - "Evasion"
71detection_methods:
72  - "Header analysis"
73  - "URL analysis"
74  - "Sender analysis"
75id: "9fab2e1e-96d2-504f-b3dd-8af12f0e553d"
to-top