← Back to Explore
sublimemediumRule
Link: Multiple HTTP protocols in single URL
Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques.
Detection Query
type.inbound
and 0 < length(body.current_thread.links) < 10
and any(body.current_thread.links,
.visible
// no ability to loop query_params_decoded, so create the non-decoded equivlent
and not strings.icontains(.href_url.url, 'unsubscribe')
and not strings.icontains(.display_text, 'unsubscribe')
and any(regex.extract(.href_url.query_params,
'[?&](?P<name>[^=&]+)(?:=(?P<value>[^&]*))?'
),
// filter down to query params that start with a url
regex.contains(.named_groups['value'],
'^(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
)
// the number of unique domains in the URL query param is greater or equal to three
and length(distinct(map(filter(regex.iextract(.named_groups['value'],
'(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)(?P<domain>[^/\s&%]+)'
),
// sometimes URLs have // and produce entries we want to skip
// so ensure it's a valid domain first
strings.parse_domain(.named_groups['domain']
).error is null
and strings.parse_domain(.named_groups['domain']
).valid
// remove domain that are the same as the sender root domain
and strings.parse_domain(.named_groups['domain']
).root_domain != sender.email.domain.root_domain
),
// return just the root domian
strings.parse_domain(.named_groups['domain']
).root_domain
),
.
)
) >= 3
// there are three or more total URLs in that query param
and regex.count(.named_groups['value'],
'(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
) >= 3
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Multiple HTTP protocols in single URL"
description: "Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques."
type: "rule"
severity: "medium"
source: |
type.inbound
and 0 < length(body.current_thread.links) < 10
and any(body.current_thread.links,
.visible
// no ability to loop query_params_decoded, so create the non-decoded equivlent
and not strings.icontains(.href_url.url, 'unsubscribe')
and not strings.icontains(.display_text, 'unsubscribe')
and any(regex.extract(.href_url.query_params,
'[?&](?P<name>[^=&]+)(?:=(?P<value>[^&]*))?'
),
// filter down to query params that start with a url
regex.contains(.named_groups['value'],
'^(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
)
// the number of unique domains in the URL query param is greater or equal to three
and length(distinct(map(filter(regex.iextract(.named_groups['value'],
'(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)(?P<domain>[^/\s&%]+)'
),
// sometimes URLs have // and produce entries we want to skip
// so ensure it's a valid domain first
strings.parse_domain(.named_groups['domain']
).error is null
and strings.parse_domain(.named_groups['domain']
).valid
// remove domain that are the same as the sender root domain
and strings.parse_domain(.named_groups['domain']
).root_domain != sender.email.domain.root_domain
),
// return just the root domian
strings.parse_domain(.named_groups['domain']
).root_domain
),
.
)
) >= 3
// there are three or more total URLs in that query param
and regex.count(.named_groups['value'],
'(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
) >= 3
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "92f9d241-ebd2-53b8-9c67-6f9ec3e263b8"