Attachment: Calendar invite with suspicious link leading to an open redirect

Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.

Sublime rule (View on GitHub)

 1name: "Attachment: Calendar invite with suspicious link leading to an open redirect"
 2description: "Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension == "ics"
10            or .content_type in ("application/ics", "text/calendar")
11          )
12          and any(file.explode(.),
13                  any(.scan.url.urls,
14                      (
15                        .domain.domain in $free_file_hosts
16                        or (
17                          .domain.root_domain in $free_subdomain_hosts
18                          and .domain.subdomain is not null
19                          and not (
20                            strings.ends_with(.url, "jpeg")
21                            or strings.ends_with(.url, "png")
22                          )
23                          and .domain.subdomain != "www"
24                        )
25                      )
26                      and any(beta.linkanalysis(.).final_dom.links,
27                              any(.href_url.rewrite.encoders,
28                                  strings.icontains(., "open_redirect")
29                              )
30                      )
31                  )
32          )
33  )
34  // negate highly trusted sender domains unless they fail DMARC authentication
35  and (
36    (
37      sender.email.domain.root_domain in $high_trust_sender_root_domains
38      and (
39        any(distinct(headers.hops, .authentication_results.dmarc is not null),
40            strings.ilike(.authentication_results.dmarc, "*fail")
41        )
42      )
43    )
44    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45  )
46  and (
47    not profile.by_sender().solicited
48    or (
49      profile.by_sender().any_messages_malicious_or_spam
50      and not profile.by_sender().any_false_positives
51    )
52  )
53  and not profile.by_sender().any_false_positives  
54
55attack_types:
56  - "Spam"
57tactics_and_techniques:
58  - "Free email provider"
59  - "Free file host"
60  - "Free subdomain host"
61  - "Open redirect"
62detection_methods:
63  - "Content analysis"
64  - "URL analysis"
65id: "5d6294c7-0b75-5722-851e-27015170bd42"
to-top