Open Redirect: Meta --> YouTube Redirection Chain

Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open Redirect: Meta --> YouTube Redirection Chain"
 2description: |
 3    Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          .href_url.domain.domain == "l.work.meta.com"
10          // the redirect field
11          and strings.icontains(.href_url.query_params, "u=")
12          and regex.icontains(.href_url.query_params, 'u=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?youtube\.com[^\&]*\/+logout.*continue=')
13  )  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Open redirect"
18detection_methods:
19  - "Sender analysis"
20  - "URL analysis"
21id: "f217fd10-48fe-553a-8e63-4da9fb3fbc64"
to-top