Service abuse: Meetup.com redirect with brand impersonation
Detects messages abusing Meetup.com's click tracking service with lengthy redirect URLs while impersonating legitimate Meetup communications. The rule identifies suspicious links to clicks.meetup.com with URLs exceeding 300 characters, excludes legitimate Meetup emails by checking for their branding elements, and filters out high-trust authenticated senders.
Sublime rule (View on GitHub)
1name: "Service abuse: Meetup.com redirect with brand impersonation"
2description: "Detects messages abusing Meetup.com's click tracking service with lengthy redirect URLs while impersonating legitimate Meetup communications. The rule identifies suspicious links to clicks.meetup.com with URLs exceeding 300 characters, excludes legitimate Meetup emails by checking for their branding elements, and filters out high-trust authenticated senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // we check 'body links' as this campaign has been observed abusing fake threads
8 and any(body.links,
9 .href_url.domain.domain == "clicks.meetup.com"
10 // lengthy url hints at redirect the circus that occurs
11 and length(.href_url.url) > 300
12 )
13 // negate legit meetup.com by checking for their logo
14 and not any(html.xpath(body.html, '//img/@src').nodes,
15 strings.icontains(.raw, 'meetupstatic')
16 )
17 // negate high trust senders that pass auth
18 and not (
19 sender.email.domain.root_domain in $high_trust_sender_root_domains
20 and coalesce(headers.auth_summary.dmarc.pass, false)
21 )
22attack_types:
23 - "Credential Phishing"
24tactics_and_techniques:
25 - "Open redirect"
26 - "Impersonation: Brand"
27 - "Evasion"
28detection_methods:
29 - "URL analysis"
30 - "HTML analysis"
31 - "Content analysis"
32 - "Sender analysis"
33id: "83f6f162-ec75-5f0b-acd0-c566beda545a"