EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Obfuscation via userinfo with excessive URL padding

Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027T1598.003
defense-evasioninitial-access

Detection Query

type.inbound
and 0 < length(body.links) < 100
and any(body.links,
        // Detects deceptive URLs where the URL appears to start with a trusted domain (e.g., youtube.com@),
        // but the actual destination domain is something else (e.g., malicious-site.com).
        // In such cases, browsers interpret the portion before the '@' symbol as a username (e.g., youtube.com),
        // and the URL resolves to the domain after the '@' symbol (malicious-site.com).
        // This technique is often used in phishing attacks to trick users into trusting the link by showing a familiar domain.
        // (?:%(?:25)?[a-f0-9]{2}){30,} is the key part which detects 30 or more URL encoded values before an @ (or a URL encoded @)
        regex.icontains(coalesce(.href_url.rewrite.original, .href_url.url),
                        'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
        )
        and not (
          .href_url.domain.sld == "google"
          and strings.istarts_with(.href_url.path, '/maps/place')
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Obfuscation via userinfo with excessive URL padding"
description: "Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 0 < length(body.links) < 100
  and any(body.links,
          // Detects deceptive URLs where the URL appears to start with a trusted domain (e.g., youtube.com@),
          // but the actual destination domain is something else (e.g., malicious-site.com).
          // In such cases, browsers interpret the portion before the '@' symbol as a username (e.g., youtube.com),
          // and the URL resolves to the domain after the '@' symbol (malicious-site.com).
          // This technique is often used in phishing attacks to trick users into trusting the link by showing a familiar domain.
          // (?:%(?:25)?[a-f0-9]{2}){30,} is the key part which detects 30 or more URL encoded values before an @ (or a URL encoded @)
          regex.icontains(coalesce(.href_url.rewrite.original, .href_url.url),
                          'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
          )
          and not (
            .href_url.domain.sld == "google"
            and strings.istarts_with(.href_url.path, '/maps/place')
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Impersonation: Brand"
detection_methods:
  - "URL analysis"
id: "806317a3-d931-501c-9505-d2e08c646565"