sublimelowRule

URL with Unicode U+2044 (⁄) or U+2215 (∕) characters

Body of the message, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and (
  regex.icontains(body.plain.raw,
                  'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+'
  )
  or any(body.links,
         regex.icontains(.href_url.url,
                         'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+'
         )
  )
)

Author

delivr_to

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5

Raw Content

name: "URL with Unicode U+2044 (⁄) or U+2215 (∕) characters"
description: |
  Body of the message, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL.
type: "rule"
severity: "low"
authors:
  - twitter: "delivr_to"
references:
  - https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5
source: |
  type.inbound
  and (
    regex.icontains(body.plain.raw,
                    'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+'
    )
    or any(body.links,
           regex.icontains(.href_url.url,
                           'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+'
           )
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "URL analysis"
id: "12069f5b-a774-53ba-8473-633291f71e84"