← Back to Explore
sublimemediumRule
Link: Referrer anonymization service from untrusted sender
Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.
Detection Query
type.inbound
and any(body.links,
// href.li
(
.href_url.domain.root_domain == "href.li"
and .href_url.query_params is not null
)
or "href_li" in .href_url.rewrite.encoders
// deref-mail
or (
(
(
strings.istarts_with(.href_url.path, '/mail/client/')
and strings.icontains(.href_url.query_params, 'redirectUrl=')
)
or "deref_mail" in .href_url.rewrite.encoders
)
// this seems to be a common behavior for gmx users
and not sender.email.domain.domain in ("gmx.de", "gmx.net")
and not (
sender.email.domain.domain == "mail.com"
and any(headers.domains, .root_domain == "mail.com")
)
// remove any links that include org domains
and not any($org_domains,
strings.icontains(..href_url.query_params, .)
)
// remove any links that are to common "signature" sites
// this does open up some FNs due to abuse of redirects of these sites
// if FNs are obsevered, we should tighten the logic of these to account
// for the redirect behavior
and not any(['facebook.com', 'x.com', 'twitter.com', 'instagram.com'],
strings.icontains(..href_url.query_params, .)
)
// remove links which contain the sender domain if the sender doesn't have any malicious messages
and not (
strings.icontains(.href_url.query_params,
sender.email.domain.root_domain
)
and not profile.by_sender_domain().any_messages_malicious_or_spam
)
)
)
// apply sender profile elements specific to the sender_email
and (
profile.by_sender_email().prevalence == "new"
// if they aren't new, there are some condition that still result in a match
or (
// and have been flagged previous
profile.by_sender_email().any_messages_malicious_or_spam
// without any false positives
and not profile.by_sender_email().any_messages_benign
)
)
// negate solicited senders
and not profile.by_sender_email().solicited
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Referrer anonymization service from untrusted sender"
description: "Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
// href.li
(
.href_url.domain.root_domain == "href.li"
and .href_url.query_params is not null
)
or "href_li" in .href_url.rewrite.encoders
// deref-mail
or (
(
(
strings.istarts_with(.href_url.path, '/mail/client/')
and strings.icontains(.href_url.query_params, 'redirectUrl=')
)
or "deref_mail" in .href_url.rewrite.encoders
)
// this seems to be a common behavior for gmx users
and not sender.email.domain.domain in ("gmx.de", "gmx.net")
and not (
sender.email.domain.domain == "mail.com"
and any(headers.domains, .root_domain == "mail.com")
)
// remove any links that include org domains
and not any($org_domains,
strings.icontains(..href_url.query_params, .)
)
// remove any links that are to common "signature" sites
// this does open up some FNs due to abuse of redirects of these sites
// if FNs are obsevered, we should tighten the logic of these to account
// for the redirect behavior
and not any(['facebook.com', 'x.com', 'twitter.com', 'instagram.com'],
strings.icontains(..href_url.query_params, .)
)
// remove links which contain the sender domain if the sender doesn't have any malicious messages
and not (
strings.icontains(.href_url.query_params,
sender.email.domain.root_domain
)
and not profile.by_sender_domain().any_messages_malicious_or_spam
)
)
)
// apply sender profile elements specific to the sender_email
and (
profile.by_sender_email().prevalence == "new"
// if they aren't new, there are some condition that still result in a match
or (
// and have been flagged previous
profile.by_sender_email().any_messages_malicious_or_spam
// without any false positives
and not profile.by_sender_email().any_messages_benign
)
)
// negate solicited senders
and not profile.by_sender_email().solicited
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Open redirect"
- "Evasion"
detection_methods:
- "Header analysis"
- "URL analysis"
- "Sender analysis"
id: "9fab2e1e-96d2-504f-b3dd-8af12f0e553d"