Open redirect: Indeed

 1name: "Open redirect: Indeed"
 2description: "Detects emails containing links using Indeed '/r?target=xxxxxx' open redirect where the email has not come from indeed.com"
 3references:
 4  - "https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/"
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and (
10    (
11      sender.email.domain.root_domain != "indeed.com"
12      and any(body.links, "indeed_open_redirect" in .href_url.rewrite.encoders)
13    )
14    or any(attachments,
15           .file_type == "pdf"
16           and any(file.explode(.),
17                   any(.scan.url.urls, "indeed_open_redirect" in .rewrite.encoders)
18           )
19    )
20  )
21  and (
22    not profile.by_sender().solicited
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_false_positives
26    )
27  )
28  
29  // negate highly trusted sender domains unless they fail DMARC authentication
30  and (
31    (
32      sender.email.domain.root_domain in $high_trust_sender_root_domains
33      and not headers.auth_summary.dmarc.pass
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )  
37attack_types:
38  - "Credential Phishing"
39  - "Malware/Ransomware"
40tactics_and_techniques:
41  - "Open redirect"
42detection_methods:
43  - "Sender analysis"
44  - "URL analysis"
45id: "98ce5477-49dd-5e60-b778-f8c2fcb283c2"