Open Redirect: Meta --> YouTube Redirection Chain
Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open Redirect: Meta --> YouTube Redirection Chain"
2description: |
3 Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.domain == "l.work.meta.com"
10 // the redirect field
11 and strings.icontains(.href_url.query_params, "u=")
12 and regex.icontains(.href_url.query_params, 'u=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?youtube\.com[^\&]*\/+logout.*continue=')
13 )
14attack_types:
15 - "Credential Phishing"
16tactics_and_techniques:
17 - "Open redirect"
18detection_methods:
19 - "Sender analysis"
20 - "URL analysis"
21id: "f217fd10-48fe-553a-8e63-4da9fb3fbc64"