Open Redirect: adnxs.com

 1name: "Open Redirect: adnxs.com"
 2description: |
 3    Message contains use of the adnxs.com redirect with getuid parameter. This has been exploited in phishing campaigns to redirect users to malicious sites.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          (
10            .href_url.domain.domain == "ib.adnxs.com"
11            and strings.icontains(.href_url.path, '/getuid')
12            // Make sure the redirect is not going back to adnxs.com
13            and not regex.icontains(.href_url.query_params,
14                                    'getuid\?(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*adnxs\.com(?:\&|\/|$|%2f)'
15            )
16          )
17          // second form of an open redirect
18          or (
19            .href_url.domain.domain == "secure.adnxs.com"
20            and strings.icontains(.href_url.query_params, 'redir=')
21            // Make sure the redirect is not going back to adnxs.com
22            and not regex.icontains(.href_url.query_params,
23                                    'redir=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*adnxs\.com(?:\&|\/|$|%2f)'
24            )
25          )
26  )
27  and not sender.email.domain.root_domain == "adnxs.com"
28  and not sender.email.domain.root_domain == "appnexus.com"
29  
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and not headers.auth_summary.dmarc.pass
35    )
36    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
37  )  
38attack_types:
39  - "Credential Phishing"
40  - "Malware/Ransomware"
41tactics_and_techniques:
42  - "Open redirect"
43detection_methods:
44  - "Sender analysis"
45  - "URL analysis"
46id: "7fc92916-6c7a-53dd-9487-22b11ee062b3"