Open redirect: Klaviyo

calendar May 14, 2024  ·
Share on: linkedin copy

Message contains use of the Klaviyo (kmail-lists.com) open redirect, but the link display text does not match known permutations. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open redirect: Klaviyo"
 2description: "Message contains use of the Klaviyo (kmail-lists.com) open redirect, but the link display text does not match known permutations. This has been exploited in the wild."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == 'manage.kmail-lists.com'
 9          and .href_url.path =~ '/subscriptions/subscribe/update'
10          and strings.icontains(.href_url.query_params, 'r=')
11          and not strings.ilike(.display_text, "*subscribe*", "*manage*")
12  )  
13
14attack_types:
15  - "Credential Phishing"
16  - "Spam"
17tactics_and_techniques:
18  - "Evasion"
19  - "Impersonation: Brand"
20  - "Open redirect"
21  - "Social engineering"
22detection_methods:
23  - "Content analysis"
24  - "URL analysis"
25id: "ce5a370a-3b3b-55cb-a4c3-c05cb795b611"
to-top