From c9ca5e1df0fc44d99bebec9ced1c12e5f20d8182 Mon Sep 17 00:00:00 2001
From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
Date: Wed, 24 Dec 2025 14:39:33 -0500
Subject: [PATCH 1/2] Create
 link_url_with_recipient_targeting_and_special_characters.yml

---
 ...pient_targeting_and_special_characters.yml | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 detection-rules/link_url_with_recipient_targeting_and_special_characters.yml

diff --git a/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml b/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml
new file mode 100644
index 00000000000..68127c78e19
--- /dev/null
+++ b/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml
@@ -0,0 +1,44 @@
+name: "Link: Suspicious URL with recipient targeting and special characters"
+description: "Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(recipients.to) == 1
+  and recipients.to[0].email.domain.valid
+  and any(body.current_thread.links,
+          // special char in the path
+          (
+            strings.icontains(.href_url.path, '!')
+            or strings.icontains(.href_url.path, '@')
+          )
+          // a single path
+          and strings.count(.href_url.path, '/') == 2
+          and (
+            strings.icontains(.href_url.path, '/$')
+            or strings.icontains(.href_url.path, '/*')
+          )
+          and (
+            (
+              strings.icontains(.href_url.path, recipients.to[0].email.email)
+              or strings.icontains(.href_url.fragment,
+                                   recipients.to[0].email.email
+              )
+              or any(strings.scan_base64(.href_url.path, ignore_padding=true),
+                     strings.icontains(., recipients.to[0].email.email)
+              )
+              or any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
+                     strings.icontains(., recipients.to[0].email.email)
+              )
+            )
+          )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "URL analysis"
+  - "Content analysis"

From 56e9f5d858b94f54edb539d524e88e380fcf1ef9 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Wed, 24 Dec 2025 19:44:33 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 .../link_url_with_recipient_targeting_and_special_characters.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml b/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml
index 68127c78e19..5e11b635e1f 100644
--- a/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml
+++ b/detection-rules/link_url_with_recipient_targeting_and_special_characters.yml
@@ -42,3 +42,4 @@ tactics_and_techniques:
 detection_methods:
   - "URL analysis"
   - "Content analysis"
+id: "e808be3a-e00c-5565-87f7-d0ca0411650d"