Link: Obfuscation via userinfo with Excessive URL Padding
Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows.
Sublime rule (View on GitHub)
1name: "Link: Obfuscation via userinfo with Excessive URL Padding"
2description: "Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and 0 < length(body.links) < 100
8 and any(body.links,
9 // Detects deceptive URLs where the URL appears to start with a trusted domain (e.g., youtube.com@),
10 // but the actual destination domain is something else (e.g., malicious-site.com).
11 // In such cases, browsers interpret the portion before the '@' symbol as a username (e.g., youtube.com),
12 // and the URL resolves to the domain after the '@' symbol (malicious-site.com).
13 // This technique is often used in phishing attacks to trick users into trusting the link by showing a familiar domain.
14 // (?:%(?:25)?[a-f0-9]{2}){30,} is the key part which detects 30 or more URL encoded values before an @ (or a URL encoded @)
15 regex.icontains(coalesce(.href_url.rewrite.original, .href_url.url),
16 'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
17 )
18 and not (
19 .href_url.domain.sld == "google"
20 and strings.istarts_with(.href_url.path, '/maps/place')
21 )
22 )
23attack_types:
24 - "Credential Phishing"
25tactics_and_techniques:
26 - "Evasion"
27 - "Impersonation: Brand"
28detection_methods:
29 - "URL analysis"
30id: "806317a3-d931-501c-9505-d2e08c646565"