• Sublime Core Feed
Medium Severity

Link: URL redirecting to blob URL

Labels

Credential Phishing
Malware/Ransomware
Evasion
Free file host
Open redirect
Sender analysis
URL analysis
Threat intelligence

Description

Detects messages containing links that redirect to blob URLs, indicating potential malware delivery or credential harvesting.

References

No references.

Sublime Security
Created Feb 24th, 2026 • Last updated Feb 24th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and 0 < length(body.links) < 10
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
        // the url redirects to a blob url
        ml.link_analysis(.).effective_url.scheme =~ 'blob'
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started