← Back to Explore
sublimehighRule
Malformed URL prefix
Malformed URL prefix is a technique used to evade email security scanners.
Detection Query
any(body.links, regex.icontains(.href_url.url, ':/\\'))
or (
regex.icontains(body.plain.raw, 'https?:\\\\[^\\s]+')
and (
length(filter(body.current_thread.links,
strings.icontains(.href_url.rewrite.original,
"safelinks.protection.outlook.com"
)
)
) == 0
or not all(filter(body.current_thread.links,
strings.icontains(.href_url.rewrite.original,
"safelinks.protection.outlook.com"
)
),
strings.icontains(body.plain.raw, .href_url.domain.root_domain)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: Malformed URL prefix
description: |
Malformed URL prefix is a technique used to evade email security scanners.
references:
- "https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/"
type: "rule"
severity: "high"
source: |
any(body.links, regex.icontains(.href_url.url, ':/\\'))
or (
regex.icontains(body.plain.raw, 'https?:\\\\[^\\s]+')
and (
length(filter(body.current_thread.links,
strings.icontains(.href_url.rewrite.original,
"safelinks.protection.outlook.com"
)
)
) == 0
or not all(filter(body.current_thread.links,
strings.icontains(.href_url.rewrite.original,
"safelinks.protection.outlook.com"
)
),
strings.icontains(body.plain.raw, .href_url.domain.root_domain)
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "URL analysis"
id: "4e659d28-53fa-51ca-888d-a7cab1e4bcad"