• Sublime Core Feed
High Severity

Link: Recipient email address in 'eta' parameter

Labels

Credential Phishing
Social engineering
Evasion
URL analysis
Content analysis

Description

Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets.

References

No references.

Sublime Security
Created Jan 27th, 2026 • Last updated Jan 27th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(recipients.to) == 1
and any(body.links,
        // eta is the only key
        length(keys(.href_url.query_params_decoded)) == 1
        and (
          // the recpieints email domain is in the value
          // we've seen cases where `.` in the local part are not in the value, thus we rely on domain only
          strings.icontains(.href_url.query_params_decoded["eta"][0],
                            recipients.to[0].email.domain.domain
          )
          // support base64 form as well
          or strings.icontains(strings.decode_base64(.href_url.query_params_decoded["eta"][0]
                               ),
                               recipients.to[0].email.domain.domain
          )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started