Open redirect: Club-OS
Message contains use of the Club-OS open redirect. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open redirect: Club-OS"
2description: |
3 Message contains use of the Club-OS open redirect. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.root_domain == "club-os.com"
10 and strings.icontains(.href_url.path, 'click')
11 and strings.icontains(.href_url.query_params, 'target=')
12 // negate hash lookup targets (not actor controlled)
13 and not (
14 regex.icontains(.href_url.query_params, 'target=[a-f0-9]{40}(?:$|&)')
15 and strings.icontains(.href_url.query_params, '&hashLookup=true')
16 )
17 // negate urls that go back to club-os
18 and not regex.icontains(.href_url.query_params,
19 'target=[^\&]*club-os.com/'
20 )
21 )
22
23 // negate highly trusted sender domains unless they fail DMARC authentication
24 and (
25 (
26 sender.email.domain.root_domain in $high_trust_sender_root_domains
27 and not headers.auth_summary.dmarc.pass
28 )
29 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
30 )
31attack_types:
32 - "Credential Phishing"
33 - "Malware/Ransomware"
34tactics_and_techniques:
35 - "Open redirect"
36detection_methods:
37 - "Sender analysis"
38 - "URL analysis"
39id: "c6286914-059d-5879-8f17-b923304cb628"