Open redirect: Atdmt
Message contains use of the Atdmt (Facebook) open redirect.
Sublime rule (View on GitHub)
1name: "Open redirect: Atdmt"
2description: |
3 Message contains use of the Atdmt (Facebook) open redirect.
4references:
5 - "https://en.wikipedia.org/wiki/Atdmt"
6type: "rule"
7authors:
8 - twitter: "vector_sec"
9severity: "medium"
10source: |
11 type.inbound
12 and any(body.links,
13 .href_url.domain.domain == 'ad.atdmt.com' and strings.ilike(.href_url.path, '*/c*')
14 )
15attack_types:
16 - "Credential Phishing"
17 - "Malware/Ransomware"
18tactics_and_techniques:
19 - "Open redirect"
20detection_methods:
21 - "URL analysis"
22id: "fafbd230-bb09-5306-b652-3060639b8660"