EXPLORE
Sign In
← Back to Explore
sublimehighRule

Link: URL scheme obfuscation via split HTML anchors

Detects URLs intentionally split across multiple adjacent HTML anchor tags to evade URL analysis and detection systems. This sophisticated evasion technique breaks the URL scheme (http/https) across separate anchor elements, rendering as: <a>h</a><a>ttp://malicious.com</a> The technique bypasses many security tools that expect complete, well-formed URLs while displaying a seemingly normal link to end users. This pattern is strongly associated with credential phishing and compromised email accounts. References: - Observed in wild credential phishing campaigns (2024-2025) - Evades traditional URL extraction and analysis tools

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1534T1656T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound
and length(body.current_thread.links) == 2
and length(filter(html.xpath(body.html, "//a").nodes,
                  .display_text == "h"
                  and any(.links, .href_url.scheme in ("http", "https"))
           )
) == 1
and length(filter(html.xpath(body.html, "//a").nodes,
                  (
                    strings.starts_with(.display_text, "ttp://")
                    or strings.starts_with(.display_text, "ttps://")
                  )
                  and any(.links, .href_url.scheme in ("http", "https"))
           )
) == 1

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Link: URL scheme obfuscation via split HTML anchors"
description: |
  Detects URLs intentionally split across multiple adjacent HTML anchor tags to evade URL analysis and detection systems.
  This sophisticated evasion technique breaks the URL scheme (http/https) across separate anchor elements,
  rendering as: <a>h</a><a>ttp://malicious.com</a>

  The technique bypasses many security tools that expect complete, well-formed URLs while displaying a
  seemingly normal link to end users. This pattern is strongly associated with credential phishing and
  compromised email accounts.

  References:
  - Observed in wild credential phishing campaigns (2024-2025)
  - Evades traditional URL extraction and analysis tools
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(body.current_thread.links) == 2
  and length(filter(html.xpath(body.html, "//a").nodes,
                    .display_text == "h"
                    and any(.links, .href_url.scheme in ("http", "https"))
             )
  ) == 1
  and length(filter(html.xpath(body.html, "//a").nodes,
                    (
                      strings.starts_with(.display_text, "ttp://")
                      or strings.starts_with(.display_text, "ttps://")
                    )
                    and any(.links, .href_url.scheme in ("http", "https"))
             )
  ) == 1
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "HTML injection"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
  - "URL analysis"
id: "10375948-f8dd-542c-bd58-e258ef82076d"