High Severity

Link: URL scheme obfuscation via split HTML anchors

Labels

Credential Phishing

BEC/Fraud

Description

Detects URLs intentionally split across multiple adjacent HTML anchor tags to evade URL analysis and detection systems. This sophisticated evasion technique breaks the URL scheme (http/https) across separate anchor elements, rendering as: <a>h</a><a>ttp://malicious.com</a>

The technique bypasses many security tools that expect complete, well-formed URLs while displaying a seemingly normal link to end users. This pattern is strongly associated with credential phishing and compromised email accounts.

References: - Observed in wild credential phishing campaigns (2024-2025) - Evades traditional URL extraction and analysis tools

References

No references.

Sublime Security

Created Dec 2nd, 2025 • Last updated Dec 2nd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.current_thread.links) == 2
and length(filter(html.xpath(body.html, "//a").nodes,
      .display_text == "h"
      and any(.links, .href_url.scheme in ("http", "https"))
)) == 1
and length(filter(html.xpath(body.html, "//a").nodes,
      (
        strings.starts_with(.display_text, "ttp://")
        or strings.starts_with(.display_text, "ttps://")
      )
      and any(.links, .href_url.scheme in ("http", "https"))
)) == 1

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.