Open redirect: MSN
Message uses an MSN open redirect.
Sample (benign) redirect to sublimesecurity[.]com: https[:]//www[.]msn[.]com/en-gb/lifestyle/rf-best-products-uk/redirect?url=aHR0cHM6Ly93d3cuc3VibGltZXNlY3VyaXR5LmNvbQ==
Sublime rule (View on GitHub)
1name: "Open redirect: MSN"
2description: |
3 Message uses an MSN open redirect.
4
5 Sample (benign) redirect to sublimesecurity[.]com:
6 https[:]//www[.]msn[.]com/en-gb/lifestyle/rf-best-products-uk/redirect?url=aHR0cHM6Ly93d3cuc3VibGltZXNlY3VyaXR5LmNvbQ==
7references:
8 - "https://twitter.com/jkamdjou/status/1601589501880840192?s=20&t=pUzE5E8sd1UXKh1eUEASiQ"
9 - "https://playground.sublimesecurity.com?id=68cbab41-abd0-47e5-90ac-7cd5cd65e85c"
10type: "rule"
11severity: "medium"
12source: |
13 type.inbound
14 and any(body.links,
15 .href_url.domain.root_domain == "msn.com"
16 and .href_url.path =~ "/en-gb/lifestyle/rf-best-products-uk/redirect"
17 and strings.icontains(.href_url.query_params, "url")
18 )
19attack_types:
20 - "Credential Phishing"
21 - "Malware/Ransomware"
22tactics_and_techniques:
23 - "Open redirect"
24detection_methods:
25 - "Sender analysis"
26 - "URL analysis"
27id: "0e0a691a-3bf9-573a-82dd-96b4ef8f96c5"