[PR #3027] changed rule: Link: Multiple HTTP protocols in single URL

Author: github-actions[bot]

detection-rules/3027_link_multiple_http_protocols_in_single_url.yml

@@ -0,0 +1,22 @@
+name: "Link: Multiple HTTP protocols in single URL"
+description: "Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.current_thread.links) < 10
+  and any(body.current_thread.links, regex.icount(.href_url.url, 'http(s)?(%)?[^a-z]') >= 5 and .visible)
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"
+id: "dea82f37-8cfd-5233-9deb-bc436aba8182"
+og_id: "92f9d241-ebd2-53b8-9c67-6f9ec3e263b8"
+testing_pr: 3027
+testing_sha: e460c3468bf1452d7ead1d4c28082a53831cd909