sublime-security · morriscode · Oct 30, 2025 · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025
@@ -0,0 +1,54 @@
+name: "Link: Multiple HTTP protocols in single URL"
+description: "Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.current_thread.links) < 10
+  and any(body.current_thread.links,
+          .visible
+          // no ability to loop query_params_decoded, so create the non-decoded equivlent 
+          and not strings.icontains(.href_url.url, 'unsubscribe')
+          and not strings.icontains(.display_text, 'unsubscribe')
+          and any(regex.extract(.href_url.query_params,
+                                '[?&](?P<name>[^=&]+)(?:=(?P<value>[^&]*))?'
+                  ),
+
+                  // filter down to query params that start with a url
+                  regex.contains(.named_groups['value'],
+                                 '^(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
+                  )
+                  // the number of unique domains in the URL query param is greater or equal to three
+                  and length(distinct(map(filter(regex.iextract(.named_groups['value'],
+                                                         '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)(?P<domain>[^/\s&%]+)'
+                                          ),
+                                          // sometimes URLs have // and produce entries we want to skip
+                                          // so ensure it's a valid domain first
+                                          strings.parse_domain(.named_groups['domain']).error is null
+                                          and strings.parse_domain(.named_groups['domain']).valid
+                                          // remove domain that are the same as the sender root domain
+                                          and strings.parse_domain(.named_groups['domain']).root_domain != sender.email.domain.root_domain
+                                      ),
+                                      // return just the root domian
+                                      strings.parse_domain(.named_groups['domain']).root_domain
+                             ), .)
+                  ) >= 3
+
+                  // there are three or more total URLs in that query param
+                  and regex.count(.named_groups['value'],
+                                  '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
+                  ) >= 3
+          )
+  )
+
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "URL analysis"
+id: "92f9d241-ebd2-53b8-9c67-6f9ec3e263b8"