Link: Obfuscation via userinfo with Excessive URL Padding

Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows.

Sublime rule (View on GitHub)

 1name: "Link: Obfuscation via userinfo with Excessive URL Padding"
 2description: "Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.links) < 100
 8  and any(body.links,
 9          // Detects deceptive URLs where the URL appears to start with a trusted domain (e.g., youtube.com@),
10          // but the actual destination domain is something else (e.g., malicious-site.com).
11          // In such cases, browsers interpret the portion before the '@' symbol as a username (e.g., youtube.com),
12          // and the URL resolves to the domain after the '@' symbol (malicious-site.com).
13          // This technique is often used in phishing attacks to trick users into trusting the link by showing a familiar domain.
14          // (?:%(?:25)?[a-f0-9]{2}){30,} is the key part which detects 30 or more URL encoded values before an @ (or a URL encoded @)
15          regex.icontains(coalesce(.href_url.rewrite.original, .href_url.url),
16                          'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
17          )
18          and not (
19            .href_url.domain.sld == "google"
20            and strings.istarts_with(.href_url.path, '/maps/place')
21          )
22  )  
23attack_types:
24  - "Credential Phishing"
25tactics_and_techniques:
26  - "Evasion"
27  - "Impersonation: Brand"
28detection_methods:
29  - "URL analysis"
30id: "806317a3-d931-501c-9505-d2e08c646565"
to-top