Link: Spam website with evasion indicators

Nov 25, 2025 ·

Detects messages containing links to spam websites that show signs of evasion techniques, including blocklisted IP provider messages or rate limiting responses when analyzed.

Sublime rule (View on GitHub)

 1name: "Link: Spam website with evasion indicators"
 2description: "Detects messages containing links to spam websites that show signs of evasion techniques, including blocklisted IP provider messages or rate limiting responses when analyzed."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // single meaningful root domain in links
 8  and length(filter(distinct(body.links, .href_url.domain.root_domain),
 9                    // filter out unrelated domains
10                    .href_url.domain.root_domain != sender.email.domain.root_domain
11                    and any(recipients.to,
12                            .email.domain.root_domain != ..href_url.domain.root_domain
13                    )
14                    and .href_url.domain.root_domain not in ("aka.ms")
15             )
16  ) == 1
17  // specific spam website pattern
18  and any(body.links,
19          // did not redirect to any other domain
20          ml.link_analysis(.).effective_url.domain.domain == .href_url.domain.domain
21          and (
22            // LinkAnalysis was "evaded"
23            any(ml.link_analysis(.).effective_url.query_params_decoded["q"],
24                strings.icontains(., "IP provider is blacklisted!")
25            )
26            // or we encountered the rate limiting
27            or ml.link_analysis(.).final_dom.inner_text == "Too Many Requests!"
28          )
29  )  
30
31attack_types:
32  - "Spam"
33tactics_and_techniques:
34  - "Evasion"
35detection_methods:
36  - "URL analysis"
37  - "URL screenshot"
38  - "Content analysis"
39id: "08bcd353-a0a5-5718-8a6e-287320202dd3"