Updating rule: attachment_pdf_with_google_ae_redirect.yml (#809)

Co-authored-by: Sam Scholten <[email protected]>
sublime-security · Sep 26, 2023 · b6f9ef6 · b6f9ef6
1 parent 8a09102
commit b6f9ef6
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/detection-rules/attachment_pdf_with_google_ae_redirect.yml b/detection-rules/attachment_pdf_with_google_ae_redirect.yml
@@ -1,5 +1,5 @@
-name: "PDF attachment with Google (AE) redirecting to a php file"
-description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL"
+name: "PDF attachment with Google (AE) redirecting to a php or zip file"
+description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL."
 references:
   - "https://twitter.com/Cryptolaemus1/status/1649200761610571776?s=20"
   - "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c"
@@ -13,8 +13,11 @@ source: |
                   any(.scan.pdf.urls,
                       // url encoded q=http
                       strings.starts_with(.query_params, "q=%68%74%74%70")
-                      // url encoded .php
-                      and strings.contains(.query_params, ".%70%68%70")
+                      // url encoded .php or .zip
+                      and (
+                          strings.contains(.query_params, ".%70%68%70")
+                          or strings.contains(.query_params, "%2e%7a%69%70")
+                      )
                       and .domain.root_domain == "google.ae"
                   )
           )