URL analysis

Detection Method: URL analysis

URL analysis scans links in emails, attachments, or embedded content to find malicious destinations aimed at stealing your credentials, delivering malware, or launching other types of attacks. This method looks at key factors like the structure of the URL, redirection paths, domain reputation, and what the link shows when clicked.

URL analysis can help you detect:

Phishing sites pretending to be trusted login pages
Malicious domains hidden through URL shorteners or redirects
Login forms on suspicious or newly registered domains
Brand impersonation using slight domain tweaks (typosquatting or homograph attacks)
Suspicious URLs with weird characters or unusual patterns

For example, attackers often use redirect chains to hide their final destination from security scanners. With URL analysis, we can follow these redirects to reveal the true destination and assess the potential threat.

Blog Posts

Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits

Hiding a $50,000 BEC financial fraud in a fake email thread

Talking phish over turkey

Living Off the Land: Credential Phishing via Docusign abuse

Living Off the Land: Callback Phishing via Docusign comment

Abusing Discord to deliver Agent Tesla malware

Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques

QR Code Phishing: Decoding Hidden Threats

Detecting Credential Phishing using Deep Learning + MQL

Attack Types (3):

Credential Phishing

Malware/Ransomware

BEC/Fraud

Tactics & Techniques (10):

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Xero Infrastructure Abuse	4h ago May 23rd, 2025	Sublime Security	Credential Phishing Evasion Social engineering Content analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/xero-infrastructure-abuse-918c4bd3
Link: Direct Link to keap.app contact-us page	4h ago May 23rd, 2025	Sublime Security	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-keapapp-contact-us-page-a7a69267
Link: Direct link to Zoom Docs from Non-Zoom Sender	1d ago May 22nd, 2025	Sublime Security	Credential Phishing Social engineering Impersonation: Brand Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-direct-link-to-zoom-docs-from-non-zoom-sender-5c6362db
Brand impersonation: DocuSign	2d ago May 21st, 2025	Sublime Security	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Spoofing Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-4d29235c
Link: Multistage Landing - Scribd Document	7d ago May 16th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot	/feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d
Canva Design With Suspicious Embedded Link	7d ago May 16th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Free file host HTML analysis URL analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22
Attachment: Adobe image lure in body or attachment with suspicious link	7d ago May 16th, 2025	Sublime Security	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
ClickFunnels link infrastructure abuse	7d ago May 16th, 2025	Sublime Security	Credential Phishing Free email provider Free subdomain host Social engineering Content analysis Header analysis QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9
Brand Impersonation: Zoom	8d ago May 15th, 2025	Sublime Security	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/brand-impersonation-zoom-5abad540
Vendor Compromise: GovDelivery Message With Suspicious Link	8d ago May 15th, 2025	Sublime Security	Credential Phishing Malware/Ransomware Free subdomain host IPFS Social engineering Evasion Impersonation: Brand Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172
Link: Multistage Landing - Ludus Presentation	9d ago May 14th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Impersonation: Brand Header analysis URL analysis Computer Vision URL screenshot Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311
Link: Multistage Landing - Published Google Doc	9d ago May 14th, 2025	Sublime Security	Credential Phishing Free file host Social engineering Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/link-multistage-landing-published-google-doc-031e1ff8
Link: Scribd Fullscreen Link From Suspicious Sender	9d ago May 14th, 2025	Sublime Security	Credential Phishing Free file host Social engineering Evasion URL analysis Sender analysis	/feeds/core/detection-rules/link-scribd-fullscreen-link-from-suspicious-sender-9e9bc972
Request for Quote or Purchase (RFQ\|RFP) with suspicious sender or recipient pattern	9d ago May 14th, 2025	Sublime Security	BEC/Fraud Evasion Free email provider Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329
Salesforce Infrastructure Abuse	14d ago May 9th, 2025	Sublime Security	Credential Phishing Evasion Social engineering Content analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70
Link: Display Text Matches Subject Line	14d ago May 9th, 2025	Sublime Security	BEC/Fraud Credential Phishing Social engineering Evasion Header analysis Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0
Link: Figma Design Deck With Credential Phishing Language	16d ago May 7th, 2025	Sublime Security	Credential Phishing Evasion Free file host Social engineering Natural Language Understanding Computer Vision Optical Character Recognition URL analysis URL screenshot Sender analysis	/feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924
Brand impersonation: Microsoft with low reputation links	16d ago May 7th, 2025	Sublime Security	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Credential phishing content and link (untrusted sender)	16d ago May 7th, 2025	Sublime Security	Credential Phishing Social engineering Computer Vision Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/credential-phishing-content-and-link-untrusted-sender-f0c95bb7
Credential phishing: Engaging language and other indicators (untrusted sender)	16d ago May 7th, 2025	Sublime Security	Credential Phishing Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2