High Severity

Link: Unsolicited email contains link to page containing Tycoon URI structure

Labels

Credential Phishing

Evasion

Description

Detects links containing Tycoon phishing kit URI patterns with specific alphanumeric sequences separated by exclamation marks or at symbols from unsolicited senders.

References

No references.

Sublime Security

Created Mar 10th, 2026 • Last updated Mar 10th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and 0 < length(body.links) < 15
and any(body.links,
        any(html.xpath(ml.link_analysis(.).final_dom, '//script//text()').nodes,
            // full tycoon uri struct
            any(.links,
                regex.icontains(.href_url.path,
                                '^\/[a-z0-9]{0,30}[!@][a-z0-9]{0,30}\/'
                )
                and not regex.icontains(.href_url.path, '\/[!@][a-z]{2,30}\/')
                and not strings.istarts_with(.href_url.domain.domain, 'www.')
                and not regex.icontains(.href_url.domain.root_domain,
                                        '(?:fpjs\.io|(?:medium|unpkg|alicdn)\.com|turtl\.co)'
                )
            )
        )
        // tycoon structured path and cloudflare captcha domain
        or (
          regex.icontains(.display_text,
                          '\/[a-zA-Z0-9]{0,30}[!@][a-zA-Z0-9]{0,30}\/'
          )
          and strings.icontains(.display_text, 'challenges.cloudflare.com')
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.