[PR #3950] modified rule: PR# 3950 - Link: Unsolicited email contains shortened or file sharing service redirecting to blob URL

github-actions[bot] · github-actions[bot] · commit 25e575ef7e6f · 2026-02-11T23:50:51.000Z
diff --git a/detection-rules/3950_link_shortened_or_file_sharing_service_redirecting_to_blob_url.yml b/detection-rules/3950_link_shortened_or_file_sharing_service_redirecting_to_blob_url.yml
@@ -1,11 +1,10 @@
-name: "PR# 3950 - Link: Shortened or file sharing service redirecting to blob URL"
+name: "PR# 3950 - Link: Unsolicited email contains shortened or file sharing service redirecting to blob URL"
 description: "Detects messages containing links from URL shorteners, file hosts, or self-service platforms that redirect to blob URLs, indicating potential malware delivery or credential harvesting from unsolicited senders."
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
   and 0 < length(body.links) < 10
-  and not profile.by_sender().solicited
   and length(recipients.to) == 1
   and recipients.to[0].email.domain.valid
   and any(body.links,
@@ -20,6 +19,7 @@ source: |
           // the url redirects to a blob url 
           and strings.icontains(ml.link_analysis(.).effective_url.url, 'blob:')
   )
+  and not profile.by_sender().solicited
 
 attack_types:
   - "Credential Phishing"
