← Back to Explore
sublimelowRule
Link: Base64 encoded recipient address in URL fragment with subject hash
Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure.
Detection Query
type.inbound
and any(regex.iextract(subject.subject,
'[^a-z0-9](?P<string>[a-z0-9]{32,64})(?:$|[^a-z0-9])'
),
any(body.links,
strings.contains(.href_url.fragment, ..named_groups["string"])
and any(strings.scan_base64(.href_url.fragment),
strings.contains(., recipients.to[0].email.email)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Base64 encoded recipient address in URL fragment with subject hash"
description: "Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure."
type: "rule"
severity: "low"
source: |
type.inbound
and any(regex.iextract(subject.subject,
'[^a-z0-9](?P<string>[a-z0-9]{32,64})(?:$|[^a-z0-9])'
),
any(body.links,
strings.contains(.href_url.fragment, ..named_groups["string"])
and any(strings.scan_base64(.href_url.fragment),
strings.contains(., recipients.to[0].email.email)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Encryption"
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
- "Header analysis"
id: "eb9694b8-f4dc-5e82-8d05-c359dbf179cc"