← Back to Explore
sublimehighRule
Link: Unsolicited email contains link leading to Tycoon URL structure
Detects unsolicited messages containing links leading to specific tycoon URL patterns that include encoded email addresses or base64-encoded content in the path structure.
Detection Query
type.inbound
and 0 < length(body.links) < 15
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
// single path
strings.count(ml.link_analysis(., mode="aggressive").effective_url.path,
'/'
) == 2
// tycoon url struct
and regex.icontains(ml.link_analysis(., mode="aggressive").effective_url.path,
'\/.*[!@].*\/[$*](?:[a-zA-Z0-9.\-_]+(?:@|%40)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,3}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})|$)'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Unsolicited email contains link leading to Tycoon URL structure"
description: "Detects unsolicited messages containing links leading to specific tycoon URL patterns that include encoded email addresses or base64-encoded content in the path structure."
type: "rule"
severity: "high"
source: |
type.inbound
and 0 < length(body.links) < 15
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
// single path
strings.count(ml.link_analysis(., mode="aggressive").effective_url.path,
'/'
) == 2
// tycoon url struct
and regex.icontains(ml.link_analysis(., mode="aggressive").effective_url.path,
'\/.*[!@].*\/[$*](?:[a-zA-Z0-9.\-_]+(?:@|%40)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,3}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})|$)'
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "URL analysis"
id: "90e483fa-b342-5752-a682-045395e3046b"