Attachment: Link to Doubleclick.net open redirect
Doubleclick.net link in a document leveraging an open redirect.
Sublime rule (View on GitHub)
1name: "Attachment: Link to Doubleclick.net open redirect"
2description: "Doubleclick.net link in a document leveraging an open redirect."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) == 0
8 and any(attachments,
9 (.file_type in ("pdf", "doc", "docx"))
10 and any(file.explode(.),
11 any(.scan.url.urls,
12 .domain.root_domain == "doubleclick.net"
13 and (
14 strings.icontains(.path, "/aclk")
15 or strings.icontains(.path, "/pcs/click")
16 or strings.icontains(.path, "/searchads/link/click")
17 )
18 and regex.icontains(.query_params,
19 '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
20 )
21 )
22 )
23 )
24
25attack_types:
26 - "BEC/Fraud"
27 - "Credential Phishing"
28tactics_and_techniques:
29 - "Evasion"
30 - "Open redirect"
31 - "Social engineering"
32detection_methods:
33 - "Content analysis"
34 - "File analysis"
35 - "URL analysis"
36id: "506c16cc-a9b8-5b92-88ff-7fc9b6a89086"