Link: Single character path with credential theft body and self sender behavior or invalid recipient

calendar Apr 24, 2026  ·
Share on: linkedin copy

Message where the sender and recipient are the same or the recipient domain is invalid, contains a link with a single character path and no query parameters or fragments, and includes credential theft language.

Sublime rule (View on GitHub)

 1name: "Link: Single character path with credential theft body and self sender behavior or invalid recipient"
 2description: "Message where the sender and recipient are the same or the recipient domain is invalid, contains a link with a single character path and no query parameters or fragments, and includes credential theft language."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // self sender or invaild recipent domain
 8  and length(recipients.to) == 1
 9  and (
10    sender.email.email == recipients.to[0].email.email
11    or recipients.to[0].email.domain.valid == false
12  )
13  // path contains 1 character
14  and any(body.current_thread.links,
15          regex.imatch(.href_url.path, '\/[A-Za-z0-9]')
16          and .href_url.query_params is null
17          and .href_url.fragment is null
18          and .display_url.url is null
19  )
20  and any(ml.nlu_classifier(body.current_thread.text).intents,
21          .name == "cred_theft" and .confidence != "low"
22  )  
23attack_types:
24  - "Credential Phishing"
25tactics_and_techniques:
26  - "Evasion"
27  - "Social engineering"
28detection_methods:
29  - "Natural Language Understanding"
30  - "URL analysis"
31  - "Sender analysis"
32  - "Header analysis"
33id: "c97982e6-eaa2-53e3-ba8f-0dc4db55b936"
to-top