From c0274c10c06c0f22ae0d79aa2da5902ce915492c Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Tue, 13 Jun 2023 19:41:38 +0000
Subject: [PATCH] Sync from PR#414

New Rule (Body): Unicode slashes in URL by @JamesCooteUK
https://github.com/sublime-security/sublime-rules/pull/414
Source SHA 4afdba3b63dfb5866c031ab1058bf83a50f84c36
Triggered by @jkamdjou
---
 detection-rules/body_unicode_slashes_in_url.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 detection-rules/body_unicode_slashes_in_url.yml

diff --git a/detection-rules/body_unicode_slashes_in_url.yml b/detection-rules/body_unicode_slashes_in_url.yml
new file mode 100644
index 00000000000..0846fd79eae
--- /dev/null
+++ b/detection-rules/body_unicode_slashes_in_url.yml
@@ -0,0 +1,14 @@
+name: "Body: Contains URL with Unicode U+2044 (⁄) or U+2215 (∕) characters"
+description: |
+  Body of the email, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL.
+type: "rule"
+severity: "low"
+authors:
+  - twitter: "delivr_to"
+references:
+  - https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5
+source: "type.inbound and \n(\n  regex.icontains(body.plain.raw, 'https?:\\/\\/[^\\s⁄∕]+(?:\\/[^\\s⁄∕]+)*[⁄∕][^\\s⁄∕]+') or\n  any(body.links, regex.icontains(.href_url.url,'https?:\\/\\/[^\\s⁄∕]+(?:\\/[^\\s⁄∕]+)*[⁄∕][^\\s⁄∕]+') )\n)\n"
+tags:
+  - "Suspicious Link"
+testing_pr: 414
+testing_sha: 4afdba3b63dfb5866c031ab1058bf83a50f84c36