Medium Severity

Link: Personalized URL with recipient address on commonly abused web service

Labels

Credential Phishing

Malware/Ransomware

Description

Detects messages containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components, indicating targeted personalization tactics.

References

No references.

Sublime Security

Created Apr 1st, 2026 • Last updated Apr 1st, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and 0 < length(body.links) < 10
and any(body.links,
        .parser == "hyperlink"
        and (
          // the recipient email is in the url
          (
            strings.icontains(.href_url.path, recipients.to[0].email.email)
            or strings.icontains(.href_url.fragment,
                                 recipients.to[0].email.email
            )
            or any(strings.scan_base64(.href_url.path, ignore_padding=true),
                   strings.icontains(., recipients.to[0].email.email)
            )
            or any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
                   strings.icontains(., recipients.to[0].email.email)
            )
          )
        )
        and (
          (
            .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $free_subdomain_hosts
            or .href_url.domain.root_domain in $self_service_creation_platform_domains
            or .href_url.domain.domain in $self_service_creation_platform_domains
            or .href_url.domain.root_domain in $url_shorteners
            or .href_url.domain.domain in $url_shorteners
            or .href_url.domain.root_domain == 'sendgrid.net'
            or (
              .href_url.domain.tld in $suspicious_tlds
              and not .href_url.domain.tld in ('me', 'us')
            )
            or network.whois(.href_url.domain).days_old < 30
            or regex.icontains(.href_url.path,
                               '\/(?:wp-(?:admin|includes)\/|redirect)'
            )
          )
          and not .href_url.domain.root_domain in ('geotab.com')
        )
        // the url contains #
        and strings.contains(.href_url.url, '#')

        // the url doesnt contain #? or #/
        and not regex.contains(.href_url.url, '#[/?]')

        // not sharepoint
        and not .href_url.domain.root_domain == 'sharepoint.com'

        // the url doesnt contain campaign params
        and not regex.icontains(.href_url.url,
                                '(?:location|utm_(?:term|source|medium|content|campaign))='
        )
        // too many fp on typeform and no recent tp
        and not .href_url.domain.root_domain == 'typeform.com'

        // no welcome links on frame.io
        and not (
          .href_url.domain.domain == 'accounts.frame.io'
          and .href_url.path == '/welcome'
        )
        // we dont want links with common unsubscribe paths
        and not strings.icontains(.href_url.path, "unsubscribe")
)

// not mimecast email with malicious blocked url in it
and not (
  subject.base == 'A message triggered content policies'
  and strings.icontains(body.current_thread.text, 'Mimecast Services Limited')
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == 'benign' and .confidence == 'high'
)
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.