Open redirect: convertcart.com

 1name: "Open redirect: convertcart.com"
 2description: |
 3    Message contains use of the convertcart.com redirect. This has been exploited in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  // convertcart is used in benign messages, however, they commonly have many links
 9  // ensure messages contain less than 10 links convertcart.com to ensure higher fidelity matching of malicious messages
10  and length(filter(body.links, .href_url.domain.root_domain == "convertcart.com")
11  ) < 10
12  and any(body.links,
13          .href_url.domain.root_domain == "convertcart.com"
14          and strings.iends_with(.href_url.path, '/click')
15          and strings.icontains(.href_url.query_params, 'url=')
16          and not regex.icontains(.href_url.query_params,
17                                  'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*convertcart\.com(?:\&|\/|$|%2f)'
18          )
19          and not strings.icontains(.href_url.query_params,
20                                    sender.email.domain.root_domain
21          )
22  )
23  // remove uses that originate from convertcart.com
24  and not any(headers.domains,
25              .root_domain in ("convertcart.com", "convertc.com")
26  )
27  // negate highly trusted sender domains unless they fail DMARC authentication
28  and (
29    (
30      sender.email.domain.root_domain in $high_trust_sender_root_domains
31      and not headers.auth_summary.dmarc.pass
32    )
33    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
34  )  
35attack_types:
36  - "Credential Phishing"
37  - "Malware/Ransomware"
38tactics_and_techniques:
39  - "Open redirect"
40detection_methods:
41  - "Sender analysis"
42  - "URL analysis"
43id: "deab563d-bf41-5eed-84c0-2cac743675fc"