Open Redirect: obunsha.co.jp

calendar Mar 18, 2025  ·
Share on: linkedin copy

Detects messages containing Obunsha's passnavi redirect service that can be exploited to redirect users to malicious sites. This has been used in phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Open Redirect: obunsha.co.jp"
 2description: |
 3  Detects messages containing Obunsha's passnavi redirect service that can be exploited
 4  to redirect users to malicious sites. This has been used in phishing campaigns.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and any(body.links,
10          // Look for Obunsha passnavi URLs
11          .href_url.domain.domain == "passnavi.obunsha.co.jp"
12          and strings.icontains(.href_url.path, '/ct.html')
13          and strings.icontains(.href_url.query_params, 'uri=')
14          // Make sure it's not redirecting back to obunsha domains
15          and not regex.icontains(.href_url.query_params, 'uri=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*obunsha\.co\.jp(?:\&|\/|$|%2f)')
16  )
17  // Exclude legitimate Obunsha domains as senders
18  and not sender.email.domain.root_domain == "obunsha.co.jp"
19  
20  // negate highly trusted sender domains unless they fail DMARC authentication
21  and (
22    (
23      sender.email.domain.root_domain in $high_trust_sender_root_domains
24      and not headers.auth_summary.dmarc.pass
25    )
26    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
27  )  
28attack_types:
29  - "Credential Phishing"
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Open redirect"
33detection_methods:
34  - "Sender analysis"
35  - "URL analysis"
36id: "e972dacf-0316-57d0-b135-38517042b9e8"
to-top