Open redirect: Doubleclick.net

calendar Jul 8, 2024  ยท
Share on: linkedin copy

Doubleclick.net link leveraging an open redirect from a new or outlier sender.

Sublime rule (View on GitHub)

 1name: "Open redirect: Doubleclick.net"
 2description: Doubleclick.net link leveraging an open redirect from a new or outlier sender.
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          .href_url.domain.root_domain == "doubleclick.net"
10          and (
11            strings.icontains(.href_url.path, "/aclk")
12            or strings.icontains(.href_url.path, "/pcs/click")
13            or strings.icontains(.href_url.path, "/searchads/link/click")
14          )
15          and regex.icontains(.href_url.query_params,
16                              '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
17          )
18  )
19  and (
20    profile.by_sender().prevalence in ("new", "outlier")
21    or (
22      profile.by_sender().any_messages_malicious_or_spam
23      and not profile.by_sender().any_false_positives
24    )
25  )  
26attack_types:
27  - "Credential Phishing"
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Open redirect"
31detection_methods:
32  - "Sender analysis"
33  - "URL analysis"
34id: "9c620146-2e0e-5cbb-96fc-fea27236117c"
to-top