Link: Direct Link to keap.app contact-us page
Detects URLs linking to Keap App contact us, which has been used to host malicious content due to its trusted domain status and product capabilities
Sublime rule (View on GitHub)
1name: "Link: Direct Link to keap.app contact-us page"
2description: "Detects URLs linking to Keap App contact us, which has been used to host malicious content due to its trusted domain status and product capabilities"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and any(body.links,
9 (
10 .href_url.domain.root_domain == "keap.app"
11 and strings.istarts_with(.href_url.path, '/contact-us/')
12 )
13 // encoded within the query_params (common for open redirects)
14 or (
15 (
16 strings.icontains(.href_url.query_params, 'keap.app')
17 or strings.icontains(.href_url.query_params, 'keap%2eapp')
18 or strings.icontains(.href_url.query_params, 'keap%252eapp')
19 )
20 and strings.istarts_with(.href_url.query_params, '/contact-us/')
21 )
22 )
23 and length(filter(body.links,
24 .href_url.domain.root_domain == "keap.app"
25 // encoded within the query_params (common for open redirects)
26 or strings.icontains(.href_url.query_params, 'keap.app')
27 or strings.icontains(.href_url.query_params, 'keap%2eapp')
28 or strings.icontains(.href_url.query_params, 'keap%252eapp')
29 )
30 ) == 1
31tags:
32 - "Attack surface reduction"
33attack_types:
34 - "Credential Phishing"
35 - "Malware/Ransomware"
36tactics_and_techniques:
37 - "Free file host"
38 - "Evasion"
39detection_methods:
40 - "URL analysis"
41id: "a7a69267-5761-5f35-a8ff-6d19b7fd0d99"