Open Redirect: bangkoksync.com
Message contains use of the bangkoksync.com open redirect. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open Redirect: bangkoksync.com"
2description: |
3 Message contains use of the bangkoksync.com open redirect. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.root_domain == "bangkoksync.com"
10 and strings.icontains(.href_url.path, '/goto.php')
11 and regex.icontains(.href_url.query_params,
12 'url=(?:https?|(?:\/|%2f)(?:\/|%2f))'
13 )
14 and any(.href_url.query_params_decoded["url"],
15 strings.parse_url(.).domain.root_domain != "bangkoksync.com"
16 )
17 )
18 and not sender.email.domain.root_domain == "bangkoksync.com"
19
20 // negate highly trusted sender domains unless they fail DMARC authentication
21 and (
22 (
23 sender.email.domain.root_domain in $high_trust_sender_root_domains
24 and not headers.auth_summary.dmarc.pass
25 )
26 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
27 )
28attack_types:
29 - "Credential Phishing"
30 - "Malware/Ransomware"
31tactics_and_techniques:
32 - "Open redirect"
33detection_methods:
34 - "Sender analysis"
35 - "URL analysis"
36id: "e1449ccd-566e-5218-8bfe-269afc4182e7"