Medium Severity

Link: Referrer Anonymization Service From Untrusted Sender

Labels

Credential Phishing

Open redirect

Description

Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.

References

No references.

Sublime Security

Created Mar 12th, 2025 • Last updated Mar 12th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        // href.li
        (
          .href_url.domain.root_domain == "href.li"
          and .href_url.query_params is not null
        )
        // deref-mail 
        or (
          strings.istarts_with(.href_url.path, '/mail/client/')
          and strings.icontains(.href_url.query_params, 'redirectUrl=')
          // this seems to be a common behavior for gmx users
          and not sender.email.domain.domain in ("gmx.de", "gmx.net")
          and not (
            sender.email.domain.domain == "mail.com"
            and any(headers.domains, .root_domain == "mail.com")
          )
          // remove any links that include org domains
          and not any($org_domains,
                      strings.icontains(..href_url.query_params, .)
          )
          // remove any links that are to common "signature" sites
          // this does open up some FNs due to abuse of redirects of these sites
          // if FNs are obsevered, we should tighten the logic of these to account
          // for the redirect behavior
          and not any(['facebook.com', 'x.com', 'twitter.com', 'instagram.com'],
                      strings.icontains(..href_url.query_params, .)
          )

          // remove links which contain the sender domain if the sender doesn't have any malicious messages
          and not (
            strings.icontains(.href_url.query_params,
                              sender.email.domain.root_domain
            )
            and not profile.by_sender_domain().any_messages_malicious_or_spam
          )
        )
)
// apply sender profile elements specific to the sender_email
and (
  profile.by_sender_email().prevalence == "new"

  // if they aren't new, there are some condition that still result in a match
  or (
    // and have been flagged previous
    profile.by_sender_email().any_messages_malicious_or_spam
    // without any false positives
    and not profile.by_sender_email().any_false_positives
  )
)
// negate solicited senders
and not profile.by_sender_email().solicited
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.