Malformed URL prefix

Jun 3, 2025 · Attack surface reduction ·

Malformed URL prefix is a technique used to evade email security scanners.

Sublime rule (View on GitHub)

 1name: Malformed URL prefix
 2description: |
 3    Malformed URL prefix is a technique used to evade email security scanners.
 4references:
 5  - "https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  any(body.links, regex.icontains(.href_url.url, ':/\\'))
10  or regex.icontains(body.plain.raw, 'https?:\\\\[^\\s]+')  
11tags:
12 - "Attack surface reduction"
13attack_types:
14  - "Credential Phishing"
15  - "Malware/Ransomware"
16tactics_and_techniques:
17  - "Evasion"
18detection_methods:
19  - "URL analysis"
20id: "4e659d28-53fa-51ca-888d-a7cab1e4bcad"

Related rules

Open redirect: Dell
Open redirect: Ticketmaster
Open redirect: Linkedin
Free subdomain link with credential theft indicators
New sender domain (<=10d) from untrusted sender