Open redirect: Hakumonkai.org

calendar Jun 1, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links or attachments with URLs that utilize the hakumonkai.org domain's redirect functionality (/fukkou/ref.php) to redirect users to external domains through the 'url' parameter.

Sublime rule (View on GitHub)

 1name: "Open redirect: Hakumonkai.org"
 2description: "Detects inbound messages containing links or attachments with URLs that utilize the hakumonkai.org domain's redirect functionality (/fukkou/ref.php) to redirect users to external domains through the 'url' parameter."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    any(body.links,
 9        (
10          .href_url.domain.root_domain == "hakumonkai.org"
11          and .href_url.path == "/fukkou/ref.php"
12          and any(.href_url.query_params_decoded["url"],
13                  strings.parse_url(.).domain.valid
14          )
15        )
16    )
17    or any(filter(attachments, .file_type == "pdf"),
18           any(file.explode(.),
19               any(.scan.url.urls,
20                   (
21                     .domain.root_domain == "hakumonkai.org"
22                     and .path == "/fukkou/ref.php"
23                     and any(.query_params_decoded["url"],
24                             strings.parse_url(.).domain.valid
25                     )
26                   )
27               )
28           )
29    )
30  )  
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Open redirect"
35detection_methods:
36  - "URL analysis"
37  - "File analysis"
38id: "c63379a9-6068-503e-9faa-9f0f310cb9ee"
to-top