Open redirect: Doubleclick.net

Doubleclick.net link leveraging an open redirect from a new or outlier sender.

Sublime rule (View on GitHub)

 1name: "Open redirect: Doubleclick.net"
 2description: Doubleclick.net link leveraging an open redirect from a new or outlier sender.
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          .href_url.domain.root_domain == "doubleclick.net"
10          and .href_url.path == "/aclk"
11          and regex.icontains(.href_url.query_params, "&adurl=[a-zA-Z]{3,10}://.*$")
12  )
13  and (
14    profile.by_sender().prevalence in ("new", "outlier")
15    or (
16      profile.by_sender().any_messages_malicious_or_spam
17      and not profile.by_sender().any_false_positives
18    )
19  )  
20attack_types:
21  - "Credential Phishing"
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Open redirect"
25detection_methods:
26  - "Sender analysis"
27  - "URL analysis"
28id: "9c620146-2e0e-5cbb-96fc-fea27236117c"
to-top