sublime-security · IndiaAce · Jan 8, 2026 · Dec 24, 2025 · Dec 24, 2025
@@ -0,0 +1,45 @@
+name: "Link: Suspicious URL with recipient targeting and special characters"
+description: "Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(recipients.to) == 1
+  and recipients.to[0].email.domain.valid
+  and any(body.current_thread.links,
+          // special char in the path
+          (
+            strings.icontains(.href_url.path, '!')
+            or strings.icontains(.href_url.path, '@')
+          )
+          // a single path
+          and strings.count(.href_url.path, '/') == 2
+          and (
+            strings.icontains(.href_url.path, '/$')
+            or strings.icontains(.href_url.path, '/*')
+          )
+          and (
+            (
+              strings.icontains(.href_url.path, recipients.to[0].email.email)
+              or strings.icontains(.href_url.fragment,
+                                   recipients.to[0].email.email
+              )
+              or any(strings.scan_base64(.href_url.path, ignore_padding=true),
+                     strings.icontains(., recipients.to[0].email.email)
+              )
+              or any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
+                     strings.icontains(., recipients.to[0].email.email)
+              )
+            )
+          )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "URL analysis"
+  - "Content analysis"
+id: "e808be3a-e00c-5565-87f7-d0ca0411650d"