Link: Google Firebase Dynamic Link that Redirects to New Domain (<7 days old)

An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.

Sublime rule (View on GitHub)

 1name: "Link: Google Firebase Dynamic Link that Redirects to New Domain (<7 days old)"
 2description: |
 3  An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. 
 4  This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.  
 5type: "rule"
 6authors:
 7  - twitter: "ajpc500"
 8severity: "low"
 9source: |
10  type.inbound
11  and any(body.links,
12          .href_url.domain.root_domain =~ "goo.gl"
13          and strings.icontains(.href_url.domain.domain, "app")
14          and any(ml.link_analysis(.).redirect_history, network.whois(.domain).days_old < 7)
15  )  
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Evasion"
21detection_methods:
22  - "URL analysis"
23  - "Whois"
24id: "5a204a37-3120-53c1-a55a-5f4f09c61dc4"
to-top