Medium Severity

Service abuse: Meetup.com redirect with brand impersonation

Labels

Credential Phishing
Open redirect
Impersonation: Brand
Evasion
URL analysis
HTML analysis
Content analysis
Sender analysis

Description

Detects messages abusing Meetup.com's click tracking service with lengthy redirect URLs while impersonating legitimate Meetup communications. The rule identifies suspicious links to clicks.meetup.com with URLs exceeding 300 characters, excludes legitimate Meetup emails by checking for their branding elements, and filters out high-trust authenticated senders.

References

No references.

Sublime Security
Created Apr 15th, 2026 • Last updated Apr 15th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// we check 'body links' as this campaign has been observed abusing fake threads
and any(body.links,
        .href_url.domain.domain == "clicks.meetup.com"
        // lengthy url hints at redirect the circus that occurs
        and length(.href_url.url) > 300
)
// negate legit meetup.com by checking for their logo
and not any(html.xpath(body.html, '//img/@src').nodes,
            strings.icontains(.raw, 'meetupstatic')
)
// negate high trust senders that pass auth
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started