← Back to Explore
sublimehighRule
Link: Recipient email address in 'eta' parameter
Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets.
Detection Query
type.inbound
and length(recipients.to) == 1
and any(body.links,
// eta is the only key
length(keys(.href_url.query_params_decoded)) == 1
and (
// the recpieints email domain is in the value
// we've seen cases where `.` in the local part are not in the value, thus we rely on domain only
strings.icontains(.href_url.query_params_decoded["eta"][0],
recipients.to[0].email.domain.domain
)
// support base64 form as well
or strings.icontains(strings.decode_base64(.href_url.query_params_decoded["eta"][0]
),
recipients.to[0].email.domain.domain
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Recipient email address in 'eta' parameter"
description: "Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets."
type: "rule"
severity: "high"
source: |
type.inbound
and length(recipients.to) == 1
and any(body.links,
// eta is the only key
length(keys(.href_url.query_params_decoded)) == 1
and (
// the recpieints email domain is in the value
// we've seen cases where `.` in the local part are not in the value, thus we rely on domain only
strings.icontains(.href_url.query_params_decoded["eta"][0],
recipients.to[0].email.domain.domain
)
// support base64 form as well
or strings.icontains(strings.decode_base64(.href_url.query_params_decoded["eta"][0]
),
recipients.to[0].email.domain.domain
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
detection_methods:
- "URL analysis"
- "Content analysis"
id: "d24e42a2-f8f3-55ca-b992-246e6b901b43"