Open redirect (go2.aspx) leading to Microsoft credential phishing

calendar Jan 12, 2026  ยท
Share on: linkedin copy

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

Sublime rule (View on GitHub)

 1name: "Open redirect (go2.aspx) leading to Microsoft credential phishing"
 2description: |
 3  This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as
 4  Microsoft-related emails.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  
10  // url path ends with go2.aspx
11  and any(body.links,
12          strings.ends_with(.href_url.path, "go2.aspx")
13  
14          // query params from href_url or ml.link_analysis contain a redirection string ending with a base64
15          // pattern intended to capture an encoded email passed as an additional parameter
16          and (
17            regex.contains(.href_url.query_params,
18                           '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
19            )
20            or regex.icontains(ml.link_analysis(.).effective_url.query_params,
21                               '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
22            )
23          )
24  )
25  and headers.mailer is null
26  and regex.icontains(body.html.inner_text,
27                      '(i\x{034F}c\x{034F}r\x{034F}os\x{034F}of\x{034F}|icrosof)|(office|o)\s?365'
28  )  
29attack_types:
30  - "Credential Phishing"
31tactics_and_techniques:
32  - "Impersonation: Brand"
33  - "Open redirect"
34detection_methods:
35  - "Content analysis"
36  - "Header analysis"
37  - "URL analysis"
38id: "51667096-1628-5113-809b-97155a03eadf"
to-top