Open redirect: Indeed

 1name: "Open redirect: Indeed"
 2description: "Detects emails containing links using Indeed '/r?target=xxxxxx' open redirect where the email has not come from indeed.com"
 3references:
 4  - "https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/"
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and (
10    (
11      sender.email.domain.root_domain != "indeed.com"
12      and any(body.links, "indeed_open_redirect" in .href_url.rewrite.encoders)
13    )
14    or any(attachments,
15           .file_type == "pdf"
16           and any(file.explode(.),
17                   any(.scan.url.urls,
18                       "indeed_open_redirect" in .rewrite.encoders
19                   )
20           )
21    )
22  )
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )  
32attack_types:
33  - "Credential Phishing"
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Open redirect"
37detection_methods:
38  - "Sender analysis"
39  - "URL analysis"
40id: "98ce5477-49dd-5e60-b778-f8c2fcb283c2"