Open redirect: Avast

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Detects emails containing links to avast.com leveraging an open redirect

Sublime rule (View on GitHub)

 1name: "Open redirect: Avast"
 2description: "Detects emails containing links to avast.com leveraging an open redirect"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.root_domain == "avast.com"
 9          and strings.contains(.href_url.query_params, "DisplayRedirectCustomPage")
10  )
11  and sender.email.domain.root_domain != "avast.com"
12  and (
13    (
14      sender.email.domain.root_domain in $free_email_providers
15      and sender.email.email not in $recipient_emails
16    )
17    or (
18      sender.email.domain.root_domain not in $free_email_providers
19      and sender.email.domain.domain not in $recipient_domains
20    )
21  )  
22attack_types:
23  - "Credential Phishing"
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Open redirect"
27detection_methods:
28  - "Sender analysis"
29  - "URL analysis"
30id: "5f635658-19be-5112-a47b-f8c9bd271999"
to-top