Link: Mixed case HTTPS protocol

calendar Mar 9, 2026  ยท
Share on: linkedin copy

Detects messages containing links with mixed case 'hTTPs' protocol, a technique used to evade detection filters.

Sublime rule (View on GitHub)

 1name: "Link: Mixed case HTTPS protocol"
 2description: "Detects messages containing links with mixed case 'hTTPs' protocol, a technique used to evade detection filters."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) > 0 
 8  and any(body.links, strings.contains(.href_url.url, 'hTTPs://'))  
 9
10attack_types:
11  - "Credential Phishing"
12  - "Malware/Ransomware"
13tactics_and_techniques:
14  - "Evasion"
15detection_methods:
16  - "Content analysis"
17  - "URL analysis"
18id: "f3424a81-3843-5a3e-8fc8-126cf7037cfa"
to-top