Image as content with a link to an open redirect (unsolicited)

calendar Apr 23, 2024  ยท
Share on: linkedin copy

Body contains little, no, or only disclaimer text, an image, and a link to an open redirect.

Sublime rule (View on GitHub)

 1name: "Image as content with a link to an open redirect (unsolicited)"
 2description: "Body contains little, no, or only disclaimer text, an image, and a link to an open redirect."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 3
 8  and 0 < (length(attachments)) < 3
 9  and all(attachments, (.file_type in $file_types_images))
10  and all(attachments, (.size > 10000))
11  // image is in body
12  and strings.icontains(body.html.raw, 'src="cid')
13  // sender domain matches no body domains
14  and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
15  and (
16    // body text is very short
17    (
18      0 <= (length(body.current_thread.text)) < 10
19      or body.current_thread.text is null
20    )
21    or (
22      length(body.current_thread.text) < 900
23      // or body is most likely all warning banner (text contains the sender and common warning banner language)
24      and (
25        (
26          strings.contains(body.current_thread.text, sender.email.email)
27          and strings.contains(body.current_thread.text, 'caution')
28        )
29        or regex.icontains(body.current_thread.text,
30                           "intended recipient's use only|external email|sent from outside|you don't often|confidential"
31        )
32      )
33    )
34  )
35  and (
36    any(body.links,
37        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
38        and .href_url.domain.root_domain not in $high_trust_sender_root_domains
39    )
40    or any(body.links,
41           .href_url.domain.root_domain == 'sng.link'
42           and strings.ilike(.href_url.query_params, "*fallback_redirect*")
43    )
44  )
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and not headers.auth_summary.dmarc.pass
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )
53  and (
54    not profile.by_sender().solicited
55    or (
56      profile.by_sender().any_messages_malicious_or_spam
57      and not profile.by_sender().any_false_positives
58    )
59  )
60  and not profile.by_sender().prevalence == "common"  
61
62attack_types:
63  - "Credential Phishing"
64  - "Malware/Ransomware"
65tactics_and_techniques:
66  - "Evasion"
67  - "Image as content"
68  - "Open redirect"
69  - "Social engineering"
70detection_methods:
71  - "Content analysis"
72  - "HTML analysis"
73  - "URL analysis"
74id: "f5cec36b-76ea-5cd6-958b-74f819d73a47"
to-top