Open redirect: Mailtrack Korea

calendar Jun 4, 2026  ·
Share on: linkedin copy

Detects messages containing links to mailtrack.ksd.or.kr tracking service that redirect to external domains, potentially bypassing security controls through the legitimate Korean mail tracking infrastructure.

Sublime rule (View on GitHub)

 1name: "Open redirect: Mailtrack Korea"
 2description: "Detects messages containing links to mailtrack.ksd.or.kr tracking service that redirect to external domains, potentially bypassing security controls through the legitimate Korean mail tracking infrastructure."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "mailtrack.ksd.or.kr"
 9          and .href_url.path == "/TMS/tracking"
10          and "url" in~ keys(.href_url.query_params_decoded)
11          and not any(regex.iextract(.href_url.query_params,
12                                     'url=([^&]+)(?:\&|\/|$)'
13                      ),
14                      strings.parse_url(.groups[0]).domain.root_domain == ..href_url.domain.root_domain
15          )
16  )  
17attack_types:
18  - "Credential Phishing"
19  - "BEC/Fraud"
20tactics_and_techniques:
21  - "Open redirect"
22  - "Evasion"
23detection_methods:
24  - "URL analysis"
25id: "73210da5-12ca-5ebf-9135-edb5022ed6cb"
to-top