From 79acdc6fa7577fc8e2a3b1da670a97a289e4c098 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Wed, 18 Oct 2023 17:07:35 +0000
Subject: [PATCH] Sync from PR#864

New Rule: Doubleclick open redirect by @morriscode
https://github.com/sublime-security/sublime-rules/pull/864
Source SHA 6f7465b437f402fa9fa285a30bb0c883b2d7ebb1
Triggered by @morriscode
---
 detection-rules/open_redirect_doubleclick.yml | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 detection-rules/open_redirect_doubleclick.yml

diff --git a/detection-rules/open_redirect_doubleclick.yml b/detection-rules/open_redirect_doubleclick.yml
new file mode 100644
index 00000000000..6e7358d61e0
--- /dev/null
+++ b/detection-rules/open_redirect_doubleclick.yml
@@ -0,0 +1,30 @@
+name: "Open redirect: Doubleclick.net"
+description: Doubleclick.net link leveraging an open redirect from a new or outlier sender.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 10
+  and any(body.links,
+          .href_url.domain.root_domain == "doubleclick.net"
+          and .href_url.path == "/aclk"
+          and regex.icontains(.href_url.query_params, "&adurl=[a-zA-Z]{3,10}://.*$")
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Open redirect"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"
+id: "9c620146-2e0e-5cbb-96fc-fea27236117c"
+testing_pr: 864
+testing_sha: 6f7465b437f402fa9fa285a30bb0c883b2d7ebb1