High Severity

Link: Suspicious URL with recipient targeting and special characters

Labels

Description

Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.

References

No references.

Sublime Security

Created Jan 8th, 2026 • Last updated Jan 22nd, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
        // special char in the path
        (
          strings.icontains(.href_url.path, '!')
          or strings.icontains(.href_url.path, '@')
        )
        // a single path
        and strings.count(.href_url.path, '/') == 2
        and (
          strings.icontains(.href_url.path, '/$')
          or strings.icontains(.href_url.path, '/*')
        )
        and (
          (
            strings.icontains(.href_url.path, recipients.to[0].email.email)
            or strings.icontains(.href_url.fragment,
                                 recipients.to[0].email.email
            )
            or any(strings.scan_base64(.href_url.path, ignore_padding=true),
                   strings.icontains(., recipients.to[0].email.email)
            )
            or any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
                   strings.icontains(., recipients.to[0].email.email)
            )
          )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.