Description

Detects inbound messages containing JustPaste.it redirect links that forward to external destinations outside of JustPaste.it. This technique abuses JustPaste.it's redirect functionality to obscure the true destination URL, bypassing link reputation checks. The rule excludes legitimate senders from JustPaste.it itself.

References

No references.

Sublime Security
Created Jul 2nd, 2026 • Last updated Jul 2nd, 2026
Source
type.inbound
and any(body.links,
        .href_url.domain.domain == "justpaste.it"
        and strings.istarts_with(.href_url.path, '/redirect/')
        // wrapped destination is not back to justpaste.it
        and not strings.icontains(.href_url.path, 'justpaste.it')
)
and not sender.email.domain.root_domain == "justpaste.it"   
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started