Open redirect: HHS

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Looks for use of the HHS open redirect.

Sublime rule (View on GitHub)

 1name: "Open redirect: HHS"
 2description: |
 3    Looks for use of the HHS open redirect.
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(body.links,
11          .href_url.domain.domain == 'dcis.hhs.gov'
12          and strings.ilike(.href_url.query_params, '*service*')
13  )  
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Open redirect"
19detection_methods:
20  - "Sender analysis"
21  - "URL analysis"
22id: "c2d8cda9-358e-5856-93a7-8e76d1ab1df5"
to-top