Open Redirect (go2.aspx) leading to Microsoft credential phishing

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

Sublime rule (View on GitHub)

 1name: "Open Redirect (go2.aspx) leading to Microsoft credential phishing"
 2description: |
 3  This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as
 4  Microsoft-related emails.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9
10  // url path ends with go2.aspx
11  and any(body.links,
12          strings.ends_with(.href_url.path, "go2.aspx")
13
14          // query params from href_url or ml.link_analysis contain a redirection string ending with a base64
15          // pattern intended to capture an encoded email passed as an additional parameter
16          and (
17            regex.contains(.href_url.query_params,
18                           '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
19            )
20            or regex.icontains(ml.link_analysis(.).effective_url.query_params,
21                               '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
22            )
23          )
24  )
25  and headers.mailer is null
26  and regex.icontains(body.html.inner_text, '(i͏c͏r͏os͏of͏|icrosof)|(office|o)\s?365')  
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "Open redirect"
32detection_methods:
33  - "Content analysis"
34  - "Header analysis"
35  - "URL analysis"
36id: "51667096-1628-5113-809b-97155a03eadf"
to-top