Open redirect: HHS
Looks for use of the HHS open redirect.
Sublime rule (View on GitHub)
1name: "Open redirect: HHS"
2description: |
3 Looks for use of the HHS open redirect.
4references:
5 - "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and any(body.links,
11 .href_url.domain.domain == 'dcis.hhs.gov'
12 and strings.ilike(.href_url.query_params, '*service*')
13 )
14attack_types:
15 - "Credential Phishing"
16 - "Malware/Ransomware"
17tactics_and_techniques:
18 - "Open redirect"
19detection_methods:
20 - "Sender analysis"
21 - "URL analysis"
22id: "c2d8cda9-358e-5856-93a7-8e76d1ab1df5"