I made a search where I use a regular expression to extract the username from the email address because we noticed that a lot of phishing mails contain that pattern. The following line is the expression
| rex field=receiver_email "(?<user>[a-zA-Z]+.[a-zA-Z]+)\@"
Now I want to add the field "user" in a search query to very if in the content body of an email there is a URL with that field. the search line that I tried is
| search content_body="<https://*user*>"
Of course this only verifies is the content equals to the string "user" but I don't know how to change it to the field value.
So just as an example if the URL is
A part of the content body
The rest of the content body
I should get a hit because the username is in that URL.