Medium Severity

Link: Webflow Link from Unsolicited Sender

Labels

Callback Phishing

Free file host

Description

This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender. Webflow.io provides a free plan enabling users to create custom websites and file hosting. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.

References

No references.

Sublime Security

Created Sep 16th, 2024 • Last updated Jun 13th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        // webflow link
        .href_url.domain.root_domain == 'webflow.io'
        and .href_url.domain.subdomain != ""
        and .href_url.domain.subdomain != "www"
        and .href_url.path == "/"
)
// not solicited or from malicious/spam user with no FPs
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
)

// not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.