Open redirect: Avast
Detects emails containing links to avast.com leveraging an open redirect
Sublime rule (View on GitHub)
1name: "Open redirect: Avast"
2description: "Detects emails containing links to avast.com leveraging an open redirect"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.root_domain == "avast.com"
9 and strings.contains(.href_url.query_params, "DisplayRedirectCustomPage")
10 )
11 and sender.email.domain.root_domain != "avast.com"
12 and (
13 not profile.by_sender().solicited
14 or (
15 profile.by_sender().any_messages_malicious_or_spam
16 and not profile.by_sender().any_false_positives
17 )
18 )
19attack_types:
20 - "Credential Phishing"
21 - "Malware/Ransomware"
22tactics_and_techniques:
23 - "Open redirect"
24detection_methods:
25 - "Sender analysis"
26 - "URL analysis"
27id: "5f635658-19be-5112-a47b-f8c9bd271999"