Open redirect: Doubleclick.net
Doubleclick.net link leveraging an open redirect from a new or outlier sender.
Sublime rule (View on GitHub)
1name: "Open redirect: Doubleclick.net"
2description: Doubleclick.net link leveraging an open redirect from a new or outlier sender.
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) < 10
8 and any(body.links,
9 .href_url.domain.root_domain == "doubleclick.net"
10 and (
11 strings.icontains(.href_url.path, "/aclk")
12 or strings.icontains(.href_url.path, "/pcs/click")
13 or strings.icontains(.href_url.path, "/searchads/link/click")
14 )
15 and regex.icontains(.href_url.query_params,
16 '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
17 )
18 )
19attack_types:
20 - "Credential Phishing"
21 - "Malware/Ransomware"
22tactics_and_techniques:
23 - "Open redirect"
24detection_methods:
25 - "Sender analysis"
26 - "URL analysis"
27id: "9c620146-2e0e-5cbb-96fc-fea27236117c"