Open redirect: nowlifestyle.com
Message contains use of the nowlifestyle.com open redirect. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open redirect: nowlifestyle.com"
2description: |
3 Message contains use of the nowlifestyle.com open redirect. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.root_domain == "nowlifestyle.com"
10 and strings.icontains(.href_url.path, "/redir.php")
11 and regex.icontains(.href_url.query_params,
12 'url=(?:https?|(?:\/|%2f)(?:\/|%2f))'
13 )
14 and not regex.icontains(.href_url.query_params,
15 'url=[^\&]*nowlifestyle\.com'
16 )
17 )
18 and not sender.email.domain.root_domain == "nowlifestyle.com"
19
20 // negate highly trusted sender domains unless they fail DMARC authentication
21 and (
22 (
23 sender.email.domain.root_domain in $high_trust_sender_root_domains
24 and not headers.auth_summary.dmarc.pass
25 )
26 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
27 )
28attack_types:
29 - "Credential Phishing"
30tactics_and_techniques:
31 - "Open redirect"
32detection_methods:
33 - "Sender analysis"
34 - "URL analysis"
35id: "a2bea3a3-5673-5c56-9042-36bf67ece793"