Open redirect: Linkedin
Detects emails containing links using Linkedin '/slink?code=xxxxx' open redirect where the email has not come from Linkedin.com
Sublime rule (View on GitHub)
1name: "Open redirect: Linkedin"
2description: "Detects emails containing links using Linkedin '/slink?code=xxxxx' open redirect where the email has not come from Linkedin.com"
3references:
4 - "https://krebsonsecurity.com/2022/02/how-phishers-are-slinking-their-links-into-linkedin/"
5type: "rule"
6authors:
7 - twitter: "xNymia"
8severity: "medium"
9source: |
10 type.inbound
11 and (
12 (
13 sender.email.domain.root_domain != "linkedin.com"
14 and (
15 (
16 any(body.links,
17 .href_url.domain.root_domain == 'linkedin.com'
18 and .href_url.path == '/slink'
19 )
20 and any(body.links, strings.ilike(.href_url.query_params, 'code=*'))
21 )
22 or any(body.links,
23 .href_url.domain.root_domain == 'linkedin.com'
24 and strings.icontains(.href_url.query_params, 'redirect_uri')
25 )
26 )
27 )
28 or any(attachments,
29 .file_type == "pdf"
30 and any(file.explode(.),
31 (
32 any(.scan.url.urls,
33 .domain.root_domain == 'linkedin.com'
34 and .path == '/slink'
35 )
36 and any(.scan.url.urls,
37 strings.ilike(.query_params, 'code=*')
38 )
39 )
40 or any(.scan.url.urls,
41 .domain.root_domain == 'linkedin.com'
42 and strings.icontains(.query_params, 'redirect_uri')
43 )
44 )
45 )
46 )
47tags:
48 - "Attack surface reduction"
49attack_types:
50 - "Credential Phishing"
51 - "Malware/Ransomware"
52tactics_and_techniques:
53 - "Open redirect"
54detection_methods:
55 - "Sender analysis"
56 - "URL analysis"
57id: "5ad2ffae-fca7-58ff-90bd-8efbd98c0a72"