sublimehighRule

Link: Excessive URL rewrite encoders

Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486 T1027 T1573 T1036

defense-evasion

Detection Query

type.inbound
and any(body.current_thread.links,
        (
          // 4 or more encoders but they are all distinct
          length(.href_url.rewrite.encoders) >= 4
          and length(distinct(.href_url.rewrite.encoders)) >= 4
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Link: Excessive URL rewrite encoders"
description: "Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(body.current_thread.links,
          (
            // 4 or more encoders but they are all distinct
            length(.href_url.rewrite.encoders) >= 4
            and length(distinct(.href_url.rewrite.encoders)) >= 4
          )
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Encryption"
  - "Evasion"
detection_methods:
  - "URL analysis"
  - "Content analysis"
id: "b88e53a7-9947-5c6b-bea9-d67906634655"