Attachment: Link to Doubleclick.net Open Redirect

 1name: "Attachment: Link to Doubleclick.net Open Redirect"
 2description: "Doubleclick.net link in a document leveraging an open redirect from a new or outlier sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) == 0
 8  and any(attachments,
 9          (.file_type in ("pdf", "doc", "docx"))
10          and any(file.explode(.),
11                  any(.scan.url.urls,
12                      .domain.root_domain == "doubleclick.net"
13                      and (
14                        strings.icontains(.path, "/aclk")
15                        or strings.icontains(.path, "/pcs/click")
16                        or strings.icontains(.path, "/searchads/link/click")
17                      )
18                      and regex.icontains(.query_params,
19                                          '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
20                      )
21                  )
22          )
23  )
24  and (
25    profile.by_sender().prevalence in ("new", "outlier")
26    or (
27      profile.by_sender().any_messages_malicious_or_spam
28      and not profile.by_sender().any_false_positives
29    )
30  )  
31
32attack_types:
33  - "BEC/Fraud"
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Evasion"
37  - "Open redirect"
38  - "Social engineering"
39detection_methods:
40  - "Content analysis"
41  - "File analysis"
42  - "URL analysis"
43id: "506c16cc-a9b8-5b92-88ff-7fc9b6a89086"