Open redirect: Indeed

 1name: "Open redirect: Indeed"
 2description: "Detects emails containing links using Indeed '/r?target=xxxxxx' open redirect where the email has not come from indeed.com"
 3references:
 4  - "https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/"
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and (
10    (
11      sender.email.domain.root_domain != "indeed.com"
12      and any(body.links, "indeed_open_redirect" in .href_url.rewrite.encoders)
13    )
14    or any(attachments,
15           .file_type == "pdf"
16           and any(file.explode(.),
17                   any(.scan.url.urls, "indeed_open_redirect" in .rewrite.encoders)
18           )
19    )
20  )
21  
22  // negate highly trusted sender domains unless they fail DMARC authentication
23  and (
24    (
25      sender.email.domain.root_domain in $high_trust_sender_root_domains
26      and not headers.auth_summary.dmarc.pass
27    )
28    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
29  )  
30attack_types:
31  - "Credential Phishing"
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Open redirect"
35detection_methods:
36  - "Sender analysis"
37  - "URL analysis"
38id: "98ce5477-49dd-5e60-b778-f8c2fcb283c2"