← Back to Explore
sublimemediumRule
Link: Shortened URL with fragment matching subject
Detects messages containing shortened links where the URL fragment appears in the email subject line, indicating potential targeted link tracking or social engineering tactics.
Detection Query
type.inbound
and any(body.current_thread.links,
.href_url.domain.root_domain in $url_shorteners
and .href_url.fragment is not null
and length(.href_url.fragment) > 5
and strings.contains(subject.subject, .href_url.fragment)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Shortened URL with fragment matching subject"
description: "Detects messages containing shortened links where the URL fragment appears in the email subject line, indicating potential targeted link tracking or social engineering tactics."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.current_thread.links,
.href_url.domain.root_domain in $url_shorteners
and .href_url.fragment is not null
and length(.href_url.fragment) > 5
and strings.contains(subject.subject, .href_url.fragment)
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
- "Header analysis"
id: "120e92cc-db08-5b5e-bf26-fcf4c565e6e3"