Skip to content

Commit

Permalink
Sync from PR#864
Browse files Browse the repository at this point in the history
New Rule: Doubleclick open redirect by @morriscode
#864
Source SHA 6f7465b
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Oct 18, 2023
1 parent ec9bda5 commit 79acdc6
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions detection-rules/open_redirect_doubleclick.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: "Open redirect: Doubleclick.net"
description: Doubleclick.net link leveraging an open redirect from a new or outlier sender.
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.links) < 10
and any(body.links,
.href_url.domain.root_domain == "doubleclick.net"
and .href_url.path == "/aclk"
and regex.icontains(.href_url.query_params, "&adurl=[a-zA-Z]{3,10}://.*$")
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Open redirect"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "9c620146-2e0e-5cbb-96fc-fea27236117c"
testing_pr: 864
testing_sha: 6f7465b437f402fa9fa285a30bb0c883b2d7ebb1

0 comments on commit 79acdc6

Please sign in to comment.