Open redirect: Google Ad Services

calendar May 10, 2024  ยท
Share on: linkedin copy

Message contains use of the Google Ad Services open redirect, but the sender is not Google. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open redirect: Google Ad Services"
 2description: |
 3    Message contains use of the Google Ad Services open redirect, but the sender is not Google. This has been exploited in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          .href_url.domain.root_domain == 'googleadservices.com'
10          and .href_url.path =~ '/pagead/aclk'
11          and strings.icontains(.href_url.query_params, "adurl=")
12  )
13  and sender.email.domain.root_domain != 'google.com'  
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Open redirect"
19detection_methods:
20  - "Sender analysis"
21  - "URL analysis"
22id: "9f91d33b-50f9-5ba2-b163-32ff48296dc6"
to-top