Link: Shortened URL with fragment matching subject

calendar Apr 9, 2026  ·
Share on: linkedin copy

Detects messages containing shortened links where the URL fragment appears in the email subject line, indicating potential targeted link tracking or social engineering tactics.

Sublime rule (View on GitHub)

 1name: "Link: Shortened URL with fragment matching subject"
 2description: "Detects messages containing shortened links where the URL fragment appears in the email subject line, indicating potential targeted link tracking or social engineering tactics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          .href_url.domain.root_domain in $url_shorteners
 9          and .href_url.fragment is not null
10          and length(.href_url.fragment) > 5
11          and strings.contains(subject.subject, .href_url.fragment)
12  )  
13
14attack_types:
15  - "Credential Phishing"
16  - "BEC/Fraud"
17tactics_and_techniques:
18  - "Evasion"
19  - "Social engineering"
20detection_methods:
21  - "Content analysis"
22  - "URL analysis"
23  - "Header analysis"
24id: "120e92cc-db08-5b5e-bf26-fcf4c565e6e3"
to-top