EXPLORE
Sign In
← Back to Explore
sublimemediumRule

URL shortener blocklist

Message contains a URL shortener that is often used for phishing and infrequently used legitimately in an email environment.

Detection Query

type.inbound
and any(body.links, .href_url.domain.domain == "cutt.ly")

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Tags

URL shortener
Raw Content
name: "URL shortener blocklist"
description: |
  Message contains a URL shortener that is often used for phishing and infrequently used legitimately in an email environment.
type: "rule"
references:
  - "https://twitter.com/fr0s7_/status/1511002911664488462"
severity: "medium"
source: |
  type.inbound
  and any(body.links, .href_url.domain.domain == "cutt.ly")
tags:
  - "URL shortener"