← Back to Explore
sublimemediumRule
Link: Suspicious go.php redirect with document lure
Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts.
Detection Query
type.inbound
and any(body.current_thread.links,
strings.ends_with(.href_url.path, "go.php")
and strings.starts_with(.href_url.query_params, "auth=")
and strings.count(.href_url.path, "/") == 2
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Suspicious go.php redirect with document lure"
description: "Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.current_thread.links,
strings.ends_with(.href_url.path, "go.php")
and strings.starts_with(.href_url.query_params, "auth=")
and strings.count(.href_url.path, "/") == 2
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "f3d8c227-116e-578c-9e12-4be0efd02e94"