Link: SVG with embedded recipient data

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects SVG links that contain the recipient's email address either in plain text or base64 encoded format within the URL, indicating potential tracking or targeting mechanisms.

Sublime rule (View on GitHub)

 1name: "Link: SVG with embedded recipient data"
 2description: "Detects SVG links that contain the recipient's email address either in plain text or base64 encoded format within the URL, indicating potential tracking or targeting mechanisms."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          strings.iends_with(.href_url.path, '.svg')
 9          and any(recipients.to,
10                  .email.domain.valid
11                  // contained in the url
12                  and (
13                    strings.icontains(..href_url.url, .email.email)
14                    // or contains the base64 endcoded email
15                    or any(strings.scan_base64(..href_url.url,
16                                               format="url",
17                                               ignore_padding=true
18                           ),
19                           strings.icontains(., ..email.email)
20                    )
21                  )
22          )
23  )
24    
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Evasion"
29detection_methods:
30  - "URL analysis"
31  - "Content analysis"
32id: "a67ff913-f8cf-58af-a159-7ae20f6c063d"
to-top