sublimehighRule

Link: Suspicious URL with recipient targeting and special characters

Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

initial-accessdefense-evasion

Detection Query

type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
        // a single path
        strings.count(.href_url.path, '/') == 2
        and (
          strings.icontains(.href_url.path, '/$')
          or strings.icontains(.href_url.path, '/*')
          or strings.icontains(.href_url.url, '/#')
        )
        and (
          // special char in the path
          (
            (
              strings.icontains(.href_url.path, '!')
              or strings.icontains(.href_url.path, '@')
            )

            // ensure expected ordering
            and regex.icontains(.href_url.url, '[!@].*\/[$\*#]')
          )
          // num{3}alpha or alphanum{3}
          or (
            // in subdomain
            regex.icontains(.href_url.domain.subdomain,
                            '^(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)(?:$|\.)'
            )
            // url path
            and regex.icontains(.href_url.path,
                                '\/(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)\/'
            )
          )
        )
        and (
          strings.icontains(.href_url.path, recipients.to[0].email.email)
          or any(strings.scan_base64(.href_url.url,
                                     ignore_padding=true,
                                     format="url"
                 ),
                 strings.icontains(., recipients.to[0].email.email)
          )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: Suspicious URL with recipient targeting and special characters"
description: "Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(recipients.to) == 1
  and recipients.to[0].email.domain.valid
  and any(body.links,
          // a single path
          strings.count(.href_url.path, '/') == 2
          and (
            strings.icontains(.href_url.path, '/$')
            or strings.icontains(.href_url.path, '/*')
            or strings.icontains(.href_url.url, '/#')
          )
          and (
            // special char in the path
            (
              (
                strings.icontains(.href_url.path, '!')
                or strings.icontains(.href_url.path, '@')
              )

              // ensure expected ordering
              and regex.icontains(.href_url.url, '[!@].*\/[$\*#]')
            )
            // num{3}alpha or alphanum{3}
            or (
              // in subdomain
              regex.icontains(.href_url.domain.subdomain,
                              '^(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)(?:$|\.)'
              )
              // url path
              and regex.icontains(.href_url.path,
                                  '\/(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)\/'
              )
            )
          )
          and (
            strings.icontains(.href_url.path, recipients.to[0].email.email)
            or any(strings.scan_base64(.href_url.url,
                                       ignore_padding=true,
                                       format="url"
                   ),
                   strings.icontains(., recipients.to[0].email.email)
            )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "URL analysis"
  - "Content analysis"
id: "e808be3a-e00c-5565-87f7-d0ca0411650d"