← Back to Explore
sublimehighRule
Link: Base64 encoded recipient address in URL fragment with hex subdomain
Detects links containing a 40-character hexadecimal subdomain with the recipient's email address base64 encoded in the URL fragment, a technique used to personalize malicious links and evade detection.
Detection Query
type.inbound
and any(body.links,
length(.href_url.domain.subdomain) == 40
and regex.match(.href_url.domain.subdomain, '^[a-f0-9]{40}')
and any(strings.scan_base64(.href_url.fragment),
. == recipients.to[0].email.email
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Base64 encoded recipient address in URL fragment with hex subdomain"
description: "Detects links containing a 40-character hexadecimal subdomain with the recipient's email address base64 encoded in the URL fragment, a technique used to personalize malicious links and evade detection."
type: "rule"
severity: "high"
source: |
type.inbound
and any(body.links,
length(.href_url.domain.subdomain) == 40
and regex.match(.href_url.domain.subdomain, '^[a-f0-9]{40}')
and any(strings.scan_base64(.href_url.fragment),
. == recipients.to[0].email.email
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "URL analysis"
- "Content analysis"
id: "781e86ae-0be9-5965-8b94-8f0c9ad13854"