Rule to detect the no presence of any url

Hunt Hypothesis

The absence of URLs in network traffic may indicate an adversary attempting to avoid detection by bypassing standard web-based communication channels. SOC teams should proactively hunt for this behavior to identify potential covert command and control mechanisms or data exfiltration tactics that evade traditional network monitoring.

YARA Rule

rule without_urls : mail {
	meta:
		author = "Antonio Sanchez <asanchez@hispasec.com>"
		reference = "http://laboratorio.blogs.hispasec.com/"
		description = "Rule to detect the no presence of any url"
	strings:
                $eml_01 = "From:"
                $eml_02 = "To:"
                $eml_03 = "Subject:"

		$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
	condition:
                all of ( $eml_* ) and
		not $url_regex
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://laboratorio.blogs.hispasec.com/
• Source Rule

False Positive Guidance

• Scenario: A system management tool like WSUS (Windows Server Update Services) runs a scheduled job to download updates, which includes URLs in the update metadata but not in the actual payload.
  Filter/Exclusion: Exclude URLs containing update.microsoft.com or wsus in the domain.

• Scenario: PowerShell scripts used for configuration management (e.g., via Chef or Puppet) may reference URLs for downloading modules or configuration files during deployment.
  Filter/Exclusion: Exclude URLs containing .ps1, .zip, or specific module repositories like gallery.technet.microsoft.com.

• Scenario: Log management tools like Splunk or ELK Stack may include URLs in their configuration files or during data ingestion, such as when using HTTP event collectors.
  Filter/Exclusion: Exclude URLs containing splunk, logstash, or elasticsearch in the domain.

• Scenario: Backup jobs using tools like Veeam or Commvault may include URLs for remote backup storage or cloud repositories.
  Filter/Exclusion: Exclude URLs containing backup, cloud, or specific storage provider domains like aws, azure, or google.

• Scenario: Admin tasks such as Group Policy Object (GPO) imports or PowerShell remoting may reference URLs for policy files or remote execution, even if they are not malicious.
  Filter/Exclusion: Exclude URLs containing gpo, policy, or remoting in the path or query parameters.