High Severity

Open redirect: Hakumonkai.org

Labels

Credential Phishing
Open redirect
URL analysis
File analysis

Description

Detects inbound messages containing links or attachments with URLs that utilize the hakumonkai.org domain's redirect functionality (/fukkou/ref.php) to redirect users to external domains through the 'url' parameter.

References

No references.

Sublime Security
Created Jun 1st, 2026 • Last updated Jun 1st, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(body.links,
      (
        .href_url.domain.root_domain == "hakumonkai.org"
        and .href_url.path == "/fukkou/ref.php"
        and any(.href_url.query_params_decoded["url"],
                strings.parse_url(.).domain.valid
        )
      )
  )
  or any(filter(attachments, .file_type == "pdf"),
         any(file.explode(.),
             any(.scan.url.urls,
                 (
                   .domain.root_domain == "hakumonkai.org"
                   and .path == "/fukkou/ref.php"
                   and any(.query_params_decoded["url"],
                           strings.parse_url(.).domain.valid
                   )
                 )
             )
         )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started