Open redirect: Google Ad Services
Message contains use of the Google Ad Services open redirect, but the sender is not Google. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open redirect: Google Ad Services"
2description: |
3 Message contains use of the Google Ad Services open redirect, but the sender is not Google. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.root_domain == 'googleadservices.com'
10 and .href_url.path =~ '/pagead/aclk'
11 and strings.icontains(.href_url.query_params, "adurl=")
12 )
13 and sender.email.domain.root_domain != 'google.com'
14attack_types:
15 - "Credential Phishing"
16 - "Malware/Ransomware"
17tactics_and_techniques:
18 - "Open redirect"
19detection_methods:
20 - "Sender analysis"
21 - "URL analysis"
22id: "9f91d33b-50f9-5ba2-b163-32ff48296dc6"