Create link_userinfo_excessive_padding.yml

detection-rules/link_userinfo_excessive_padding.yml

@@ -0,0 +1,26 @@
+name: "Link: Obfuscation via userinfo with Excessive URL Padding"
+description: "Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.links) < 100
+  and any(body.links,
+          // Detects deceptive URLs where the URL appears to start with a trusted domain (e.g., youtube.com@),
+          // but the actual destination domain is something else (e.g., malicious-site.com).
+          // In such cases, browsers interpret the portion before the '@' symbol as a username (e.g., youtube.com),
+          // and the URL resolves to the domain after the '@' symbol (malicious-site.com).
+          // This technique is often used in phishing attacks to trick users into trusting the link by showing a familiar domain.
+          // (?:%(?:25)?[a-f0-9]{2}){30,} is the key part which detects 30 or more URL encoded values before an @ (or a URL encoded @)
+          regex.icontains(coalesce(.href_url.rewrite.original, .href_url.url),
+                       'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:%(?:25)?[a-f0-9]{2}){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Impersonation: Brand"
+detection_methods:
+  - "URL analysis"
+id: "806317a3-d931-501c-9505-d2e08c646565"