Service abuse: Mimecast URL with excessive path length

calendar Apr 8, 2026  ·
Share on: linkedin copy

Detects messages containing the second stage Mimecast redirect URL with unusually long paths, potentially indicating abuse of the Mimecast URL redirection service to obfuscate malicious destinations.

Sublime rule (View on GitHub)

 1name: "Service abuse: Mimecast URL with excessive path length"
 2description: "Detects messages containing the second stage Mimecast redirect URL with unusually long paths, potentially indicating abuse of the Mimecast URL redirection service to obfuscate malicious destinations."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(body.links,
 8                 strings.icontains(.href_url.domain.root_domain, "mimecast")
 9                 and strings.starts_with(.href_url.path, "/r/")
10          ),
11          length(.href_url.path) > 2000
12  )  
13
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Evasion"
19  - "Open redirect"
20detection_methods:
21  - "URL analysis"
22id: "eb800883-be30-58a8-8435-6aada6c73e2e"
to-top