EXPLORE
← Back to Explore
sublimelowRule

URL shortener from suspicious sender TLD

Message contains a URL shortener and the sender's domain's TLD is suspicious.

Detection Query

type.inbound
and sender.email.domain.tld in $suspicious_tlds
and any(body.links,
        .href_url.domain.domain in $url_shorteners
        // exempting legitimate Google Maps shortener
        and not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
)
and sender.email.email not in $recipient_emails

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

URL shortener
Raw Content
name: "URL shortener from suspicious sender TLD"
description: |
  Message contains a URL shortener and the sender's domain's TLD is suspicious.
type: "rule"
severity: "low"
source: |
  type.inbound
  and sender.email.domain.tld in $suspicious_tlds
  and any(body.links,
          .href_url.domain.domain in $url_shorteners
          // exempting legitimate Google Maps shortener
          and not strings.ilike(.href_url.url, "http?://goo.gl/maps*")
  )
  and sender.email.email not in $recipient_emails
tags:
  - "URL shortener"