Open redirect: Nested Doubleclick.net

calendar Jul 17, 2024  ·
Share on: linkedin copy

Doubleclick.net link leveraging a nested doubleclick.net open redirect from a new or outlier sender. The unusual behavior of nesting a doubleclick URL inside another doubleclick link warrants increasing the severity of this rule.

Sublime rule (View on GitHub)

 1name: "Open redirect: Nested Doubleclick.net"
 2description: "Doubleclick.net link leveraging a nested doubleclick.net open redirect from a new or outlier sender. The unusual behavior of nesting a doubleclick URL inside another doubleclick link warrants increasing the severity of this rule."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          .href_url.domain.root_domain == "doubleclick.net"
10          and (
11            strings.icontains(.href_url.path, "/aclk")
12            or strings.icontains(.href_url.path, "/pcs/click")
13            or strings.icontains(.href_url.path, "/searchads/link/click")
14          )
15    and regex.icontains(.href_url.query_params, '&(?:adurl|ds_dest_url)=(?:https?(\:|%3a))?(?:\/|%2f)(?:\/|%2f)adclick.g.doubleclick.net')
16  )
17  and (
18    profile.by_sender().prevalence in ("new", "outlier")
19    or (
20      profile.by_sender().any_messages_malicious_or_spam
21      and not profile.by_sender().any_false_positives
22    )
23  )  
24attack_types:
25  - "Credential Phishing"
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "Open redirect"
29detection_methods:
30  - "Sender analysis"
31  - "URL analysis"
32id: "bbed5cc6-4c39-5a53-9255-269cbd4e27cb"
to-top