Create link_multiple_http_protocols_in_single_url.yml (#3027)

morriscode · ID Generator · zoomequipd · web-flow · commit 7b38a363da32 · 2025-10-30T17:17:39.000Z
Co-authored-by: ID Generator &lt;hello@sublimesecurity.com&gt;
Co-authored-by: Brandon Murphy &lt;4827852+zoomequipd@users.noreply.github.com&gt;
Co-authored-by: Alex Herold &lt;alex.herold@sublimesecurity.com&gt;
diff --git a/detection-rules/link_multiple_http_protocols_in_single_url.yml b/detection-rules/link_multiple_http_protocols_in_single_url.yml
@@ -0,0 +1,54 @@
+name: "Link: Multiple HTTP protocols in single URL"
+description: "Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.current_thread.links) < 10
+  and any(body.current_thread.links,
+          .visible
+          // no ability to loop query_params_decoded, so create the non-decoded equivlent 
+          and not strings.icontains(.href_url.url, 'unsubscribe')
+          and not strings.icontains(.display_text, 'unsubscribe')
+          and any(regex.extract(.href_url.query_params,
+                                '[?&](?P<name>[^=&]+)(?:=(?P<value>[^&]*))?'
+                  ),
+  
+                  // filter down to query params that start with a url
+                  regex.contains(.named_groups['value'],
+                                 '^(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
+                  )
+                  // the number of unique domains in the URL query param is greater or equal to three
+                  and length(distinct(map(filter(regex.iextract(.named_groups['value'],
+                                                         '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)(?P<domain>[^/\s&%]+)'
+                                          ),
+                                          // sometimes URLs have // and produce entries we want to skip
+                                          // so ensure it's a valid domain first
+                                          strings.parse_domain(.named_groups['domain']).error is null
+                                          and strings.parse_domain(.named_groups['domain']).valid
+                                          // remove domain that are the same as the sender root domain
+                                          and strings.parse_domain(.named_groups['domain']).root_domain != sender.email.domain.root_domain
+                                      ),
+                                      // return just the root domian
+                                      strings.parse_domain(.named_groups['domain']).root_domain
+                             ), .)
+                  ) >= 3
+  
+                  // there are three or more total URLs in that query param
+                  and regex.count(.named_groups['value'],
+                                  '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
+                  ) >= 3
+          )
+  )
+
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"
+id: "92f9d241-ebd2-53b8-9c67-6f9ec3e263b8"
