← Back to Explore
sublimehighRule
Link: URL path containing /moni/index
Detects inbound messages containing links to '/moni/index.' paths, either directly in the URL path or within query parameters. This pattern has been observed in the wild leading to credential phishing
Detection Query
type.inbound
and any(body.current_thread.links,
regex.icontains(.href_url.path, '\/moni\/index\.')
or any(values(.href_url.query_params_decoded),
any(., regex.icontains(., '\/moni\/index\.'))
)
or .href_url.path == "/moni"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: URL path containing /moni/index"
description: "Detects inbound messages containing links to '/moni/index.' paths, either directly in the URL path or within query parameters. This pattern has been observed in the wild leading to credential phishing"
type: "rule"
severity: "high"
source: |
type.inbound
and any(body.current_thread.links,
regex.icontains(.href_url.path, '\/moni\/index\.')
or any(values(.href_url.query_params_decoded),
any(., regex.icontains(., '\/moni\/index\.'))
)
or .href_url.path == "/moni"
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Open redirect"
- "Evasion"
detection_methods:
- "URL analysis"
id: "9d8aa316-64c8-5d48-89be-06cc56eaa1f8"