• Sublime Core Feed
High Severity

Link: Excessive URL rewrite encoders

Labels

Credential Phishing
Malware/Ransomware
Encryption
Evasion
URL analysis
Content analysis

Description

Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters.

References

No references.

Sublime Security
Created Jan 21st, 2026 • Last updated Jan 21st, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(body.current_thread.links,
        (
          // 4 or more encoders but they are all distinct
          length(.href_url.rewrite.encoders) >= 4
          and length(distinct(.href_url.rewrite.encoders)) >= 4
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started