Link: URL fragment with hexadecimal pattern obfuscation
Detects links containing URL fragments with repeating hexadecimal patterns, commonly used to obfuscate malicious destinations or bypass security filters.
Sublime rule (View on GitHub)
1name: "Link: URL fragment with hexadecimal pattern obfuscation"
2description: "Detects links containing URL fragments with repeating hexadecimal patterns, commonly used to obfuscate malicious destinations or bypass security filters."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 regex.contains(.href_url.fragment, '.html\/\?(?:[a-f0-9]{2}\.){12,}')
9 )
10attack_types:
11 - "Credential Phishing"
12tactics_and_techniques:
13 - "Evasion"
14detection_methods:
15 - "Content analysis"
16 - "URL analysis"
17id: "51f51aa0-4e62-5140-8baa-014cd95f7a46"