You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "Link: Suspicious URL with recipient targeting and special characters"
2
+
description: "Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns."
3
+
type: "rule"
4
+
severity: "high"
5
+
source: |
6
+
type.inbound
7
+
and length(recipients.to) == 1
8
+
and recipients.to[0].email.domain.valid
9
+
and any(body.current_thread.links,
10
+
// a single path
11
+
strings.count(.href_url.path, '/') == 2
12
+
// special chars
13
+
and (
14
+
strings.icontains(.href_url.path, '/$')
15
+
or strings.icontains(.href_url.path, '/*')
16
+
or strings.icontains(.href_url.url, '/#')
17
+
)
18
+
// and not where the # is within a directory structure
19
+
// which is followed by url query params (the ? or = )
20
+
// had some fps based on an unsual use of this char within paths where url query param
21
+
and not regex.icontains(.href_url.url, '\/[^\/]*#[^\/]*\/[^$]*\?', )
22
+
23
+
// also not where it's #! or #, which causes the fragment to start with punctuation unless that puncutation is a ?
24
+
// we use coalesce to account for where there is no fragment and the regex.icontains returns null
25
+
and not coalesce(regex.icontains(.href_url.fragment, '^[!,]'), false)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments