Link: URL path containing /moni/index

calendar Apr 24, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links to '/moni/index.' paths, either directly in the URL path or within query parameters. This pattern has been observed in the wild leading to credential phishing

Sublime rule (View on GitHub)

 1name: "Link: URL path containing /moni/index"
 2description: "Detects inbound messages containing links to '/moni/index.' paths, either directly in the URL path or within query parameters. This pattern has been observed in the wild leading to credential phishing"
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          regex.icontains(.href_url.path, '\/moni\/index\.')
 9          or any(values(.href_url.query_params_decoded),
10                 any(., regex.icontains(., '\/moni\/index\.'))
11          )
12          or .href_url.path == "/moni"
13  )  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Open redirect"
18  - "Evasion"
19detection_methods:
20  - "URL analysis"
21id: "9d8aa316-64c8-5d48-89be-06cc56eaa1f8"
to-top