Link: Google Firebase Dynamic Link that Redirects to New Domain (<7 days old)

calendarMar 27, 2023 · Suspicious link  ·
Share on: linkedincopy

An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.

Sublime rule (View on GitHub)

 1name: "Link: Google Firebase Dynamic Link that Redirects to New Domain (<7 days old)"
 2description: |
 3  An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. 
 4  This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.  
 5type: "rule"
 6authors:
 7  - twitter: "ajpc500"
 8severity: "low"
 9source: |
10  type.inbound and 
11  any(body.links, 
12    .href_url.domain.root_domain =~ "goo.gl" and 
13    strings.icontains(.href_url.domain.domain, "app") and 
14    any(beta.linkanalysis(.).redirect_history, beta.whois(.domain).days_old < 7)
15  )  
16tags:
17  - "Suspicious link"```

Related rules

to-top