← Back to Explore
sublimehighRule
Service abuse: Mimecast URL with excessive path length
Detects messages containing the second stage Mimecast redirect URL with unusually long paths, potentially indicating abuse of the Mimecast URL redirection service to obfuscate malicious destinations.
Detection Query
type.inbound
and any(filter(body.links,
strings.icontains(.href_url.domain.root_domain, "mimecast")
and strings.starts_with(.href_url.path, "/r/")
),
length(.href_url.path) > 2000
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Mimecast URL with excessive path length"
description: "Detects messages containing the second stage Mimecast redirect URL with unusually long paths, potentially indicating abuse of the Mimecast URL redirection service to obfuscate malicious destinations."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(body.links,
strings.icontains(.href_url.domain.root_domain, "mimecast")
and strings.starts_with(.href_url.path, "/r/")
),
length(.href_url.path) > 2000
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Open redirect"
detection_methods:
- "URL analysis"
id: "eb800883-be30-58a8-8435-6aada6c73e2e"