Link: Suspicious URL path with binary character sequence

calendar Apr 27, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links with URLs that follow a specific suspicious pattern: starting with a forward slash, followed by a digit, uppercase letter, alphanumeric characters, a hyphen, more alphanumeric characters, and ending with exactly five binary digits (0s and 1s).

Sublime rule (View on GitHub)

 1name: "Link: Suspicious URL path with binary character sequence"
 2description: "Detects inbound messages containing links with URLs that follow a specific suspicious pattern: starting with a forward slash, followed by a digit, uppercase letter, alphanumeric characters, a hyphen, more alphanumeric characters, and ending with exactly five binary digits (0s and 1s)."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          regex.contains(.href_url.path,
 9                         '^\/[0-9][A-Z][a-z0-9]+\-[a-z0-9]+[01]{5}$'
10          )
11  )  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Evasion"
16detection_methods:
17  - "URL analysis"
18id: "e366f316-6e63-593f-aaeb-330ec90fb845"
to-top