Link: URL redirecting to blob URL

calendar Feb 24, 2026  ยท
Share on: linkedin copy

Detects messages containing links that redirect to blob URLs, indicating potential malware delivery or credential harvesting.

Sublime rule (View on GitHub)

 1name: "Link: URL redirecting to blob URL"
 2description: "Detects messages containing links that redirect to blob URLs, indicating potential malware delivery or credential harvesting."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.links) < 10
 8  and length(recipients.to) == 1
 9  and recipients.to[0].email.domain.valid
10  and any(body.links,
11          // the url redirects to a blob url
12          ml.link_analysis(.).effective_url.scheme =~ 'blob'
13  )  
14
15attack_types:
16  - "Credential Phishing"
17  - "Malware/Ransomware"
18tactics_and_techniques:
19  - "Evasion"
20  - "Free file host"
21  - "Open redirect"
22detection_methods:
23  - "Sender analysis"
24  - "URL analysis"
25  - "Threat intelligence"
26id: "1677135b-5d97-55fc-8fe7-11aa19dd165c"
to-top