EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Personalized URL with recipient address on commonly abused web service

Detects messages containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components, indicating targeted personalization tactics.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486
initial-access

Detection Query

type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and 0 < length(body.links) < 10
and any(body.links,
        .parser == "hyperlink"
        and (
          // the recipient email is in the url
          (
            strings.icontains(.href_url.path, recipients.to[0].email.email)
            or strings.icontains(.href_url.fragment,
                                 recipients.to[0].email.email
            )
            or any(strings.scan_base64(.href_url.path, ignore_padding=true),
                   strings.icontains(., recipients.to[0].email.email)
            )
            or any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
                   strings.icontains(., recipients.to[0].email.email)
            )
          )
        )
        and (
          (
            .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $free_subdomain_hosts
            or .href_url.domain.root_domain in $self_service_creation_platform_domains
            or .href_url.domain.domain in $self_service_creation_platform_domains
            or .href_url.domain.root_domain in $url_shorteners
            or .href_url.domain.domain in $url_shorteners
            or .href_url.domain.root_domain == 'sendgrid.net'
            or (
              .href_url.domain.tld in $suspicious_tlds
              and not .href_url.domain.tld in ('me', 'us')
            )
            or network.whois(.href_url.domain).days_old < 30
            or regex.icontains(.href_url.path,
                               '\/(?:wp-(?:admin|includes)\/|redirect)'
            )
          )
          and not .href_url.domain.root_domain in ('geotab.com')
        )
        // the url contains #
        and strings.contains(.href_url.url, '#')

        // the url doesnt contain #? or #/
        and not regex.contains(.href_url.url, '#[/?]')

        // not sharepoint
        and not .href_url.domain.root_domain == 'sharepoint.com'

        // the url doesnt contain campaign params
        and not regex.icontains(.href_url.url,
                                '(?:location|utm_(?:term|source|medium|content|campaign))='
        )
        // too many fp on typeform and no recent tp
        and not .href_url.domain.root_domain == 'typeform.com'

        // no welcome links on frame.io
        and not (
          .href_url.domain.domain == 'accounts.frame.io'
          and .href_url.path == '/welcome'
        )
        // we dont want links with common unsubscribe paths
        and not strings.icontains(.href_url.path, "unsubscribe")
)

// not mimecast email with malicious blocked url in it
and not (
  subject.base == 'A message triggered content policies'
  and strings.icontains(body.current_thread.text, 'Mimecast Services Limited')
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == 'benign' and .confidence == 'high'
)
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Personalized URL with recipient address on commonly abused web service"
description: "Detects messages containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components, indicating targeted personalization tactics."
type: "rule"
severity: "medium"
source: |
    type.inbound
    and length(recipients.to) == 1
    and recipients.to[0].email.domain.valid
    and 0 < length(body.links) < 10
    and any(body.links,
            .parser == "hyperlink"
            and (
              // the recipient email is in the url
              (
                strings.icontains(.href_url.path, recipients.to[0].email.email)
                or strings.icontains(.href_url.fragment,
                                     recipients.to[0].email.email
                )
                or any(strings.scan_base64(.href_url.path, ignore_padding=true),
                       strings.icontains(., recipients.to[0].email.email)
                )
                or any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
                       strings.icontains(., recipients.to[0].email.email)
                )
              )
            )
            and (
              (
                .href_url.domain.root_domain in $free_file_hosts
                or .href_url.domain.domain in $free_file_hosts
                or .href_url.domain.root_domain in $free_subdomain_hosts
                or .href_url.domain.domain in $free_subdomain_hosts
                or .href_url.domain.root_domain in $self_service_creation_platform_domains
                or .href_url.domain.domain in $self_service_creation_platform_domains
                or .href_url.domain.root_domain in $url_shorteners
                or .href_url.domain.domain in $url_shorteners
                or .href_url.domain.root_domain == 'sendgrid.net'
                or (
                  .href_url.domain.tld in $suspicious_tlds
                  and not .href_url.domain.tld in ('me', 'us')
                )
                or network.whois(.href_url.domain).days_old < 30
                or regex.icontains(.href_url.path,
                                   '\/(?:wp-(?:admin|includes)\/|redirect)'
                )
              )
              and not .href_url.domain.root_domain in ('geotab.com')
            )
            // the url contains #
            and strings.contains(.href_url.url, '#')
    
            // the url doesnt contain #? or #/
            and not regex.contains(.href_url.url, '#[/?]')
    
            // not sharepoint
            and not .href_url.domain.root_domain == 'sharepoint.com'
    
            // the url doesnt contain campaign params
            and not regex.icontains(.href_url.url,
                                    '(?:location|utm_(?:term|source|medium|content|campaign))='
            )
            // too many fp on typeform and no recent tp
            and not .href_url.domain.root_domain == 'typeform.com'
    
            // no welcome links on frame.io
            and not (
              .href_url.domain.domain == 'accounts.frame.io'
              and .href_url.path == '/welcome'
            )
            // we dont want links with common unsubscribe paths
            and not strings.icontains(.href_url.path, "unsubscribe")
    )
    
    // not mimecast email with malicious blocked url in it
    and not (
      subject.base == 'A message triggered content policies'
      and strings.icontains(body.current_thread.text, 'Mimecast Services Limited')
    )
    and not any(ml.nlu_classifier(body.current_thread.text).intents,
                .name == 'benign' and .confidence == 'high'
    )
    and (
      (
        sender.email.domain.root_domain in $high_trust_sender_root_domains
        and not coalesce(headers.auth_summary.dmarc.pass, false)
      )
      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
    )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Free file host"
  - "Social engineering"
detection_methods:
  - "URL analysis"
  - "Header analysis"
id: "e3b5fa90-2149-54b7-ae9a-87cda01b24a5"