Detection Method: URL analysis

URL analysis scans links in emails, attachments, or embedded content to find malicious destinations aimed at stealing your credentials, delivering malware, or launching other types of attacks. This method looks at key factors like the structure of the URL, redirection paths, domain reputation, and what the link shows when clicked.
URL analysis can help you detect:
  • Phishing sites pretending to be trusted login pages
  • Malicious domains hidden through URL shorteners or redirects
  • Login forms on suspicious or newly registered domains
  • Brand impersonation using slight domain tweaks (typosquatting or homograph attacks)
  • Suspicious URLs with weird characters or unusual patterns
For example, attackers often use redirect chains to hide their final destination from security scanners. With URL analysis, we can follow these redirects to reveal the true destination and assess the potential threat.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Detecting Credential Phishing using Deep Learning + MQL · Blog · Sublime Security
Detecting Credential Phishing using Deep Learning + MQL · Blog · Sublime Security
Attack Types (6):
Credential Phishing
Malware/Ransomware
Spam
BEC/Fraud
Extortion
Callback Phishing
Tactics & Techniques (25):
Open redirect
Social engineering
Evasion
PDF
Impersonation: Brand
QR code
Spoofing
Impersonation: Employee
Image as content
Free file host
Free subdomain host
Lookalike domain
Free email provider
Credential Phishing
Encryption
Impersonation: VIP
Exploit
Out of band pivot
IPFS
HTML injection
LNK
OneNote
HTML smuggling
Scripting
Punycode
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Open redirect: embluemail.com
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Open redirect
Sender analysis
URL analysis
/feeds/core/detection-rules/open-redirect-embluemailcom-48c5abd3
Link: PDF filename impersonation with credential theft language
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
PDF
Content analysis
Natural Language Understanding
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-pdf-filename-impersonation-with-credential-theft-language-05931513
Brand impersonation: Google Meet with malicious link
7h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-google-meet-with-malicious-link-d488d85a
Attachment: QR code with recipient targeting and special characters
3d ago
Feb 9th, 2026
Sublime Security
Credential Phishing
QR code
Social engineering
Evasion
File analysis
QR code analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09
Brand impersonation: Navan
3d ago
Feb 9th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Spoofing
Sender analysis
Natural Language Understanding
URL analysis
Content analysis
/feeds/core/detection-rules/brand-impersonation-navan-3573e9a8
Link: Suspicious go.php redirect with document lure
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-suspicious-gophp-redirect-with-document-lure-f3d8c227
Link: URL shortener with copy-paste instructions and credential theft language
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/link-url-shortener-with-copy-paste-instructions-and-credential-theft-language-a0a2c573
New link domain (<=10d) from untrusted sender
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/new-link-domain-less10d-from-untrusted-sender-4805b0e6
Link: SharePoint filename matches org name
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-sharepoint-filename-matches-org-name-cb954726
Service abuse: Apple TestFlight with suspicious developer reference
6d ago
Feb 6th, 2026
Sublime Security
Spam
Social engineering
Content analysis
HTML analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0
Brand impersonation: Microsoft Teams invitation
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8
Brand impersonation: Microsoft Planner with suspicious link
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Image as content
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08
Brand impersonation: Fake Fax
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Credential phishing: Generic document sharing
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Social engineering
Evasion
Impersonation: Employee
Content analysis
Natural Language Understanding
URL analysis
Sender analysis
/feeds/core/detection-rules/credential-phishing-generic-document-sharing-9f0e1d2c
Brand impersonation: DocuSign
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Spoofing
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-docusign-4d29235c
Brand impersonation: Zoom via lookalike domain
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Free email provider
Social engineering
URL analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-zoom-via-lookalike-domain-b9d5e4b5
ClickFunnels link infrastructure abuse
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Free email provider
Free subdomain host
Social engineering
Content analysis
Header analysis
QR code analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9
Attachment: Legal themed message or PDF with suspicious indicators
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Extortion
BEC/Fraud
Evasion
PDF
Social engineering
Content analysis
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Whois
Header analysis
Exif analysis
/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
Link: Common hidden directory observed
9d ago
Feb 3rd, 2026
Sublime Security
Credential Phishing
Evasion
URL analysis
HTML analysis
/feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6
Attachment: QR code with encoded recipient targeting and redirect indicators
13d ago
Jan 30th, 2026
Sublime Security
Credential Phishing
QR code
Evasion
Image as content
Open redirect
Archive analysis
File analysis
QR code analysis
URL analysis
/feeds/core/detection-rules/attachment-qr-code-with-encoded-recipient-targeting-and-redirect-indicators-5d51e565
Page 1 of 20