Open redirect: Avast

Detects emails containing links to avast.com leveraging an open redirect

Sublime rule (View on GitHub)

 1name: "Open redirect: Avast"
 2description: "Detects emails containing links to avast.com leveraging an open redirect"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.root_domain == "avast.com"
 9          and strings.contains(.href_url.query_params, "DisplayRedirectCustomPage")
10  )
11  and sender.email.domain.root_domain != "avast.com"
12  and (
13    not profile.by_sender().solicited
14    or (
15      profile.by_sender().any_messages_malicious_or_spam
16      and not profile.by_sender().any_false_positives
17    )
18  )  
19attack_types:
20  - "Credential Phishing"
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Open redirect"
24detection_methods:
25  - "Sender analysis"
26  - "URL analysis"
27id: "5f635658-19be-5112-a47b-f8c9bd271999"
to-top