Malformed URL prefix
Malformed URL prefix is a technique used to evade email security scanners.
Sublime rule (View on GitHub)
1name: Malformed URL prefix
2description: |
3 Malformed URL prefix is a technique used to evade email security scanners.
4references:
5 - "https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/"
6type: "rule"
7severity: "high"
8source: |
9 any(body.links, regex.icontains(.href_url.url, ':/\\'))
10 or (
11 regex.icontains(body.plain.raw, 'https?:\\\\[^\\s]+')
12 and (
13 length(filter(body.current_thread.links,
14 strings.icontains(.href_url.rewrite.original,
15 "safelinks.protection.outlook.com"
16 )
17 )
18 ) == 0
19 or not all(filter(body.current_thread.links,
20 strings.icontains(.href_url.rewrite.original,
21 "safelinks.protection.outlook.com"
22 )
23 ),
24 strings.icontains(body.plain.raw, .href_url.domain.root_domain)
25 )
26 )
27 )
28tags:
29 - "Attack surface reduction"
30attack_types:
31 - "Credential Phishing"
32 - "Malware/Ransomware"
33tactics_and_techniques:
34 - "Evasion"
35detection_methods:
36 - "URL analysis"
37id: "4e659d28-53fa-51ca-888d-a7cab1e4bcad"