Sync from PR#2299

Create link_user_info_excessive_padding.yml by @zoomequipd #2299 Source SHA bfbb8a5 Triggered by @zoomequipd
sublime-security · Jan 10, 2025 · d6a3a81 · d6a3a81
1 parent 5fcde29
commit d6a3a81
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/detection-rules/link_userinfo_excessive_padding.yml b/detection-rules/link_userinfo_excessive_padding.yml
@@ -0,0 +1,22 @@
+name: "Link: Obfuscation via userinfo with Excessive URL Padding"
+description: "Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.links) < 100
+  and any(body.links,
+          regex.icontains(coalesce(.href_url.rewrite.original, .href_url.url),
+                       'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:%(?:25)?[a-f0-9]{2}){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Impersonation: Brand"
+detection_methods:
+  - "URL analysis"
+id: "806317a3-d931-501c-9505-d2e08c646565"
+testing_pr: 2299
+testing_sha: bfbb8a5a704de480a4bb9d68bd47ca8c488310bc