Link: Suspicious go.php redirect with document lure
Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts.
Sublime rule (View on GitHub)
1name: "Link: Suspicious go.php redirect with document lure"
2description: "Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.current_thread.links,
8 strings.ends_with(.href_url.path, "go.php")
9 and strings.starts_with(.href_url.query_params, "auth=", "c=")
10 and strings.count(.href_url.path, "/") == 2
11 )
12attack_types:
13 - "Credential Phishing"
14tactics_and_techniques:
15 - "Evasion"
16 - "Social engineering"
17detection_methods:
18 - "Content analysis"
19 - "URL analysis"
20id: "f3d8c227-116e-578c-9e12-4be0efd02e94"