Open redirect: designsori.com
Message contains use of the designsori.com open redirect. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open redirect: designsori.com"
2description: |
3 Message contains use of the designsori.com open redirect. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.root_domain == "designsori.com"
10 and strings.icontains(.href_url.path, 'redirect.php')
11 and regex.icontains(.href_url.query_params,
12 'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}'
13 )
14 and not regex.icontains(.href_url.query_params,
15 'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*designsori\.com(?:\&|\/|$)'
16 )
17 )
18 and not sender.email.domain.root_domain == "designsori.com"
19
20 // negate highly trusted sender domains unless they fail DMARC authentication
21 and (
22 (
23 sender.email.domain.root_domain in $high_trust_sender_root_domains
24 and not headers.auth_summary.dmarc.pass
25 )
26 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
27 )
28attack_types:
29 - "Credential Phishing"
30 - "Malware/Ransomware"
31tactics_and_techniques:
32 - "Open redirect"
33detection_methods:
34 - "Sender analysis"
35 - "URL analysis"
36id: "4c38ff47-4709-5ab9-963c-eabc0732800e"