← Back to Explore
sublimemediumRule
Link: Common hidden directory observed
Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.
Detection Query
type.inbound
and 0 < length(body.links) <= 10
and any(body.links,
(
strings.icontains(.href_url.path, "/.well-known/")
and (
// well-known with a directory behind it
(
regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
// doesn't contain anything after /pki-validation/ or contains godaddy.html after (which is their location for the validation)
and not regex.imatch(.href_url.path,
'/.well-known/pki-validation/(?:godaddy.html)?'
)
)
// or a fragment in the url
or .href_url.fragment is not null
)
)
or strings.icontains(.href_url.path, "/.js/")
or strings.icontains(.href_url.path, "/.env/")
or strings.icontains(.href_url.path, "/.git/")
or strings.icontains(.href_url.path, "/.svn/")
or strings.icontains(.href_url.path, "/.hg/")
or strings.icontains(.href_url.path, "/.DS_Store/")
or strings.icontains(.href_url.path, "/.htpasswd/")
or strings.icontains(.href_url.path, "/.htaccess/")
or strings.icontains(.href_url.path, "/.bash_history/")
or strings.icontains(.href_url.path, "/.bashrc/")
or strings.icontains(.href_url.path, "/.zshrc/")
or strings.icontains(.href_url.path, "/.profile/")
or strings.icontains(.href_url.path, "/.wp/")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Attack surface reduction
Raw Content
name: "Link: Common hidden directory observed"
description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
references:
- "https://datatracker.ietf.org/doc/html/rfc8615"
- "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml"
type: "rule"
severity: "medium"
source: |
type.inbound
and 0 < length(body.links) <= 10
and any(body.links,
(
strings.icontains(.href_url.path, "/.well-known/")
and (
// well-known with a directory behind it
(
regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
// doesn't contain anything after /pki-validation/ or contains godaddy.html after (which is their location for the validation)
and not regex.imatch(.href_url.path,
'/.well-known/pki-validation/(?:godaddy.html)?'
)
)
// or a fragment in the url
or .href_url.fragment is not null
)
)
or strings.icontains(.href_url.path, "/.js/")
or strings.icontains(.href_url.path, "/.env/")
or strings.icontains(.href_url.path, "/.git/")
or strings.icontains(.href_url.path, "/.svn/")
or strings.icontains(.href_url.path, "/.hg/")
or strings.icontains(.href_url.path, "/.DS_Store/")
or strings.icontains(.href_url.path, "/.htpasswd/")
or strings.icontains(.href_url.path, "/.htaccess/")
or strings.icontains(.href_url.path, "/.bash_history/")
or strings.icontains(.href_url.path, "/.bashrc/")
or strings.icontains(.href_url.path, "/.zshrc/")
or strings.icontains(.href_url.path, "/.profile/")
or strings.icontains(.href_url.path, "/.wp/")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "URL analysis"
- "HTML analysis"
id: "9f316da6-821c-5fed-b967-80fc0e740626"