Open Redirect: convertcart.com

 1name: "Open Redirect: convertcart.com"
 2description: |
 3    Message contains use of the convertcart.com redirect. This has been exploited in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  // convertcart is used in benign messages, however, they commonly have many links
 9  // ensure messages contain less than 10 links convertcart.com to ensure higher fidelity matching of malicious messages
10  and length(filter(body.links, .href_url.domain.root_domain == "convertcart.com")) < 10
11  and any(body.links,
12          .href_url.domain.root_domain == "convertcart.com"
13          and strings.iends_with(.href_url.path, '/click')
14          and strings.icontains(.href_url.query_params, 'url=')
15          and not regex.icontains(.href_url.query_params,
16                                    'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*convertcart\.com(?:\&|\/|$|%2f)'
17          )
18          and not strings.icontains(.href_url.query_params,
19                                    sender.email.domain.root_domain
20          )
21  )
22  // remove uses that originate from convertcart.com
23  and not any(headers.domains, .root_domain in ("convertcart.com", "convertc.com"))
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )  
32attack_types:
33  - "Credential Phishing"
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Open redirect"
37detection_methods:
38  - "Sender analysis"
39  - "URL analysis"
40id: "deab563d-bf41-5eed-84c0-2cac743675fc"