EXPLORE
Sign In
← Back to Explore
sublimelowRule

Link: GoPhish query param values

Detects links containing a 7-character alphanumeric 'rid' (default) query parameter, or any other variant identified, commonly used in tracking and targeting systems for malicious purposes.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486T1036T1027
defense-evasion

Detection Query

type.inbound
and sender.email.domain.root_domain not in $tranco_50k
// few body links
and length(body.links) < 20
// Adding loop of different query param values
// https://github.com/fin3ss3g0d/evilgophish/blob/main/replace_rid.sh
and any(["mid", "rid"],
        any(body.links,
            // not a common marketing url rewriter
            not .href_url.domain.root_domain == "vtiger.com"
            and not strings.icontains(.href_url.url, "vtiger.com")
            // myshopify return tracking numbers
            and not (
              length(.href_url.query_params_decoded["tracking_number"]) == 1
              and length(.href_url.query_params_decoded[..]) == 1
            )
            // the mid value present
            and length(.href_url.query_params_decoded[..]) == 1
            // the mid value is 7 bytes
            and length(.href_url.query_params_decoded[..][0]) == 7
            // contains letters and numbers
            and regex.imatch(.href_url.query_params_decoded[..][0],
                             '^[a-z0-9]{7}$'
            )
            and not regex.match(.href_url.query_params_decoded[..][0],
                                // not just numbers - ~0.00046% chance of being all numbers
                                '^[0-9]{7}$',
                                // not just lower case letters ~0.31% chance of all lowercase
                                '^[a-z]{7}$',
                                // not just upper case letters ~0.31% chance of being all uppercase
                                '^[A-Z]{7}$',
                                // a single letter followed by digits has ~0.00151% chance
                                '^[A-Za-z]\d{6}$'
            )
            // and not a common value observed in benign samples
            and not .href_url.query_params_decoded[..][0] == "Emailer"
            // .href_url.query_params_decoded is the wrong type for length
            // so count the number of param values, and ensure it's 3 or less
            and regex.icount(.href_url.query_params, '=[^\=]+(?:&|$)') <= 3
        )
)
// not high trust sender domains
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not profile.by_sender_email().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: GoPhish query param values"
description: "Detects links containing a 7-character alphanumeric 'rid' (default) query parameter, or any other variant identified, commonly used in tracking and targeting systems for malicious purposes."
type: "rule"
severity: "low"
source: |
  type.inbound
  and sender.email.domain.root_domain not in $tranco_50k
  // few body links
  and length(body.links) < 20
  // Adding loop of different query param values
  // https://github.com/fin3ss3g0d/evilgophish/blob/main/replace_rid.sh
  and any(["mid", "rid"],
          any(body.links,
              // not a common marketing url rewriter
              not .href_url.domain.root_domain == "vtiger.com"
              and not strings.icontains(.href_url.url, "vtiger.com")
              // myshopify return tracking numbers
              and not (
                length(.href_url.query_params_decoded["tracking_number"]) == 1
                and length(.href_url.query_params_decoded[..]) == 1
              )
              // the mid value present
              and length(.href_url.query_params_decoded[..]) == 1
              // the mid value is 7 bytes
              and length(.href_url.query_params_decoded[..][0]) == 7
              // contains letters and numbers
              and regex.imatch(.href_url.query_params_decoded[..][0],
                               '^[a-z0-9]{7}$'
              )
              and not regex.match(.href_url.query_params_decoded[..][0],
                                  // not just numbers - ~0.00046% chance of being all numbers
                                  '^[0-9]{7}$',
                                  // not just lower case letters ~0.31% chance of all lowercase
                                  '^[a-z]{7}$',
                                  // not just upper case letters ~0.31% chance of being all uppercase
                                  '^[A-Z]{7}$',
                                  // a single letter followed by digits has ~0.00151% chance
                                  '^[A-Za-z]\d{6}$'
              )
              // and not a common value observed in benign samples
              and not .href_url.query_params_decoded[..][0] == "Emailer"
              // .href_url.query_params_decoded is the wrong type for length
              // so count the number of param values, and ensure it's 3 or less
              and regex.icount(.href_url.query_params, '=[^\=]+(?:&|$)') <= 3
          )
  )
  // not high trust sender domains
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  and not profile.by_sender_email().any_messages_benign
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "URL analysis"
id: "6d2b9c8a-ec51-562c-88f5-58605b1e5a6e"