Open Redirect: nowlifestyle.com
Message contains use of the nowlifestyle.com open redirect. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open Redirect: nowlifestyle.com"
2description: |
3 Message contains use of the nowlifestyle.com open redirect. This has been exploited in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(body.links,
9 .href_url.domain.root_domain == "nowlifestyle.com"
10 and strings.icontains(.href_url.path, "/redir.php")
11 and regex.icontains(.href_url.query_params,
12 'url=(?:https?|(?:\/|%2f)(?:\/|%2f))'
13 )
14 and not regex.icontains(.href_url.query_params,
15 'url=[^\&]*nowlifestyle\.com'
16 )
17 )
18 and not sender.email.domain.root_domain == "nowlifestyle.com"
19 and (
20 not profile.by_sender().solicited
21 or (
22 profile.by_sender().any_messages_malicious_or_spam
23 and not profile.by_sender().any_false_positives
24 )
25 )
26
27 // negate highly trusted sender domains unless they fail DMARC authentication
28 and (
29 (
30 sender.email.domain.root_domain in $high_trust_sender_root_domains
31 and not headers.auth_summary.dmarc.pass
32 )
33 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
34 )
35attack_types:
36 - "Credential Phishing"
37tactics_and_techniques:
38 - "Open redirect"
39detection_methods:
40 - "Sender analysis"
41 - "URL analysis"
42id: "a2bea3a3-5673-5c56-9042-36bf67ece793"