Skip to content

Create link_multiple_http_protocols_in_single_url.yml #3027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 30, 2025
Merged

Create link_multiple_http_protocols_in_single_url.yml #3027

merged 8 commits into from
Oct 30, 2025

Conversation

@morriscode
Copy link
Member

Description

New ASR coverage for heavy link obfuscation through multiple redirection/security services.

@morriscode morriscode requested a review from a team as a code owner July 31, 2025 02:14
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jul 31, 2025
github-actions bot added a commit that referenced this pull request Jul 31, 2025
@github-actions
[PR #3027] changed rule: Link: Multiple HTTP protocols in single URL
b507aeb
github-actions bot added a commit that referenced this pull request Jul 31, 2025
@github-actions
[PR #3027] modified rule: Link: Multiple HTTP protocols in single URL
61f6010
github-actions bot added a commit that referenced this pull request Aug 5, 2025
@github-actions
[PR #3027] Delete detection rule
27e7acf
github-actions bot added a commit that referenced this pull request Aug 5, 2025
@github-actions
[PR #3027] changed rule: Link: Multiple HTTP protocols in single URL
2c618d4
@zoomequipd
Copy link
Member

Looking through test results, i had a couple ideas to improve this idea.
Note: your reference hunt no longer matches the included rule due to being parsed out via url decoders

After noticing the test-rules results matched when many different URL query params each contained a single URL, the idea was that the URLs should be within a single URL query param. I had to reconstruct some of the functionality provided by query_params_decoded, but I think this worked well.

Once I was able to narrow the matches down to a single query param i relized it's really different domains of the URLs that was interesting. I was able to reduce FPs by extracting the domain out of the "embedded" url and then ensure they were different and not the same as the sender domain, then count the number of unique domains embedded in the query param.

Hunt and proposed MQL: https://platform.sublime.security/messages/hunt?huntId=01990742-61de-7a2f-a468-1ac9f785cf0a

github-actions bot added a commit that referenced this pull request Sep 11, 2025
@github-actions
[PR #3027] modified rule: Link: Multiple HTTP protocols in single URL
71ee47b
github-actions bot added a commit that referenced this pull request Sep 18, 2025
@github-actions
[PR #3027] modified rule: Link: Multiple HTTP protocols in single URL
a59c789
@zoomequipd
Copy link
Member

looks like the addition of the unsubscribe negation had a very positive impact on this rule, will continue testing for a bit more

alex-herold and others added 2 commits October 28, 2025 08:01
@alex-herold
Sync .github directory from main branch
e5c9747 
- Applied .github directory from main to morriscode-patch-46
- Ensures workflows and GitHub configurations are up to date
- Automated sync via script
@morriscode
Merge branch 'main' into morriscode-patch-46
755995c
@morriscode morriscode added this pull request to the merge queue Oct 30, 2025
Merged via the queue into main with commit 7b38a36 Oct 30, 2025
3 checks passed
@morriscode morriscode deleted the morriscode-patch-46 branch October 30, 2025 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@morriscode @zoomequipd @alex-herold