Detection Method: URL analysis

URL analysis scans links in emails, attachments, or embedded content to find malicious destinations aimed at stealing your credentials, delivering malware, or launching other types of attacks. This method looks at key factors like the structure of the URL, redirection paths, domain reputation, and what the link shows when clicked.
URL analysis can help you detect:
  • Phishing sites pretending to be trusted login pages
  • Malicious domains hidden through URL shorteners or redirects
  • Login forms on suspicious or newly registered domains
  • Brand impersonation using slight domain tweaks (typosquatting or homograph attacks)
  • Suspicious URLs with weird characters or unusual patterns
For example, attackers often use redirect chains to hide their final destination from security scanners. With URL analysis, we can follow these redirects to reveal the true destination and assess the potential threat.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Detecting Credential Phishing using Deep Learning + MQL · Blog · Sublime Security
Detecting Credential Phishing using Deep Learning + MQL · Blog · Sublime Security
Attack Types (6):
Credential Phishing
BEC/Fraud
Malware/Ransomware
Spam
Callback Phishing
Extortion
Tactics & Techniques (25):
Social engineering
Free subdomain host
Evasion
Credential Phishing
PDF
QR code
Encryption
Impersonation: Brand
Image as content
Free file host
Free email provider
Out of band pivot
Impersonation: Employee
Lookalike domain
OneNote
Open redirect
LNK
Exploit
HTML smuggling
Scripting
Impersonation: VIP
Spoofing
IPFS
HTML injection
Punycode
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Link: Personal SharePoint with invalid recipients and credential theft language
17m ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/link-personal-sharepoint-with-invalid-recipients-and-credential-theft-language-79d5403d
Link: Tycoon2FA phishing kit (non-exhaustive)
12h ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Free subdomain host
Evasion
Credential Phishing
URL analysis
HTML analysis
Content analysis
/feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2
Link: Suspicious URL with recipient targeting and special characters
21h ago
Jan 22nd, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
URL analysis
Content analysis
/feeds/core/detection-rules/link-suspicious-url-with-recipient-targeting-and-special-characters-e808be3a
Fake voicemail notification (untrusted sender)
1d ago
Jan 22nd, 2026
Sublime Security
Credential Phishing
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/fake-voicemail-notification-untrusted-sender-74ba7787
Attachment: PDF with recipient email in link
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
PDF
QR code
Encryption
Social engineering
File analysis
QR code analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f
Attachment: QR code with recipient targeting and special characters
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
QR code
Social engineering
Evasion
File analysis
QR code analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09
Link: Display text with excessive right-to-left mark characters
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Evasion
Content analysis
URL analysis
/feeds/core/detection-rules/link-display-text-with-excessive-right-to-left-mark-characters-a45cfd4c
Link: Self-sent message with quarterly document review request
2d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Evasion
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-self-sent-message-with-quarterly-document-review-request-3c42cec6
Brand impersonation: Fake Fax
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Link: Excessive URL rewrite encoders
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Encryption
Evasion
URL analysis
Content analysis
/feeds/core/detection-rules/link-excessive-url-rewrite-encoders-b88e53a7
Link: Breely link masquerading as PDF
7d ago
Jan 16th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Free subdomain host
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-breely-link-masquerading-as-pdf-4a498c21
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
8d ago
Jan 15th, 2026
Sublime Security
BEC/Fraud
Evasion
Free email provider
Content analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329
Spam: Commonly observed formatting of unauthorized free giveaways
9d ago
Jan 14th, 2026
Sublime Security
Spam
Impersonation: Brand
Social engineering
Content analysis
HTML analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/spam-commonly-observed-formatting-of-unauthorized-free-giveaways-8bc49fa3
Link: Common hidden directory observed
10d ago
Jan 13th, 2026
Sublime Security
Credential Phishing
Evasion
URL analysis
HTML analysis
/feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Free subdomain host
PDF
Social engineering
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e
Link: Self-sender with sender org in subject and credential theft indicator
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
Natural Language Understanding
Content analysis
Sender analysis
URL analysis
Header analysis
/feeds/core/detection-rules/link-self-sender-with-sender-org-in-subject-and-credential-theft-indicator-bfa9aa08
Link: Base64 encoded recipient address in URL fragment with subject hash
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Encryption
Evasion
Social engineering
Content analysis
URL analysis
Header analysis
/feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-subject-hash-eb9694b8
Link: Free subdomain host with undisclosed recipients
11d ago
Jan 12th, 2026
Sublime Security
Free subdomain host
Header analysis
URL analysis
/feeds/core/detection-rules/link-free-subdomain-host-with-undisclosed-recipients-c23d979d
Brand impersonation: Sharepoint fake file share
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Impersonation: Brand
Social engineering
Content analysis
Header analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/brand-impersonation-sharepoint-fake-file-share-ff8b296b
Link to Google Apps Script macro via comment tagging
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Social engineering
Content analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-to-google-apps-script-macro-via-comment-tagging-66fecd30
Page 1 of 19