Link: Suspicious go.php redirect with document lure

calendar Feb 6, 2026  ยท
Share on: linkedin copy

Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts.

Sublime rule (View on GitHub)

 1name: "Link: Suspicious go.php redirect with document lure"
 2description: "Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          strings.ends_with(.href_url.path, "go.php")
 9          and strings.starts_with(.href_url.query_params, "auth=")
10          and strings.count(.href_url.path, "/") == 2
11  )  
12
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Evasion"
17  - "Social engineering"
18detection_methods:
19  - "Content analysis"
20  - "URL analysis"
21id: "f3d8c227-116e-578c-9e12-4be0efd02e94"
to-top