Open redirect: Samsung

Dec 20, 2023 · Attack surface reduction ·

Message contains use of the Samsung open redirect, but the sender is not Samsung.

Sublime rule (View on GitHub)

 1name: "Open redirect: Samsung"
 2description: |
 3    Message contains use of the Samsung open redirect, but the sender is not Samsung.
 4references:
 5  - "https://twitter.com/ffforward/status/1232958609031598080?lang=en"
 6  - "https://twitter.com/JCyberSec_/status/1238488919135715328?s=20"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(body.links, .href_url.domain.domain == 't.info.samsungusa.com' and .href_url.path =~ '/r/')
12  and sender.email.domain.root_domain != 'samsungusa.com'  
13tags:
14  - "Attack surface reduction"
15attack_types:
16  - "Credential Phishing"
17  - "Malware/Ransomware"
18tactics_and_techniques:
19  - "Open redirect"
20detection_methods:
21  - "Sender analysis"
22  - "URL analysis"
23id: "164ece9a-26ca-5872-9604-7e948722d627"

Related rules

Link to a Domain with Punycode Characters
Open redirect: Linkedin
Open redirect: Panera Bread
Open redirect: Slack
Open redirect: Snapchat