Malformed URL prefix

Malformed URL prefix is a technique used to evade email security scanners.

Sublime rule (View on GitHub)

 1name: Malformed URL prefix
 2description: |
 3    Malformed URL prefix is a technique used to evade email security scanners.
 4references:
 5  - "https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  any(body.links, regex.icontains(.href_url.url, ':/\\'))
10  or (
11    regex.icontains(body.plain.raw, 'https?:\\\\[^\\s]+')
12    and (
13      length(filter(body.current_thread.links,
14                    strings.icontains(.href_url.rewrite.original,
15                                      "safelinks.protection.outlook.com"
16                    )
17             )
18      ) == 0
19      or not all(filter(body.current_thread.links,
20                        strings.icontains(.href_url.rewrite.original,
21                                          "safelinks.protection.outlook.com"
22                        )
23                 ),
24                 strings.icontains(body.plain.raw, .href_url.domain.root_domain)
25      )
26    )
27  )  
28tags:
29 - "Attack surface reduction"
30attack_types:
31  - "Credential Phishing"
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Evasion"
35detection_methods:
36  - "URL analysis"
37id: "4e659d28-53fa-51ca-888d-a7cab1e4bcad"

Related rules

to-top