Link: Suspicious URL with recipient targeting and special characters
Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.
Sublime rule (View on GitHub)
1name: "Link: Suspicious URL with recipient targeting and special characters"
2description: "Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(recipients.to) == 1
8 and recipients.to[0].email.domain.valid
9 and any(body.links,
10 // a single path
11 strings.count(.href_url.path, '/') == 2
12 and (
13 strings.icontains(.href_url.path, '/$')
14 or strings.icontains(.href_url.path, '/*')
15 or strings.icontains(.href_url.url, '/#')
16 )
17 and (
18 // special char in the path
19 (
20 (
21 strings.icontains(.href_url.path, '!')
22 or strings.icontains(.href_url.path, '@')
23 )
24
25 // ensure expected ordering
26 and regex.icontains(.href_url.url, '[!@].*\/[$\*#]')
27 )
28 // num{3}alpha or alphanum{3}
29 or (
30 // in subdomain
31 regex.icontains(.href_url.domain.subdomain,
32 '^(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)$'
33 )
34 // url path
35 and regex.icontains(.href_url.path,
36 '\/(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)\/'
37 )
38 )
39 )
40 and (
41 strings.icontains(.href_url.path, recipients.to[0].email.email)
42 or any(strings.scan_base64(.href_url.url,
43 ignore_padding=true,
44 format="url"
45 ),
46 strings.icontains(., recipients.to[0].email.email)
47 )
48 )
49 )
50attack_types:
51 - "Credential Phishing"
52tactics_and_techniques:
53 - "Social engineering"
54 - "Evasion"
55detection_methods:
56 - "URL analysis"
57 - "Content analysis"
58id: "e808be3a-e00c-5565-87f7-d0ca0411650d"