Open Redirect: Samsung
Message contains use of the Samsung open redirect, but the sender is not Samsung.
Sublime rule (View on GitHub)
1name: "Open Redirect: Samsung"
2description: |
3 Message contains use of the Samsung open redirect, but the sender is not Samsung.
4references:
5 - "https://twitter.com/ffforward/status/1232958609031598080?lang=en"
6 - "https://twitter.com/JCyberSec_/status/1238488919135715328?s=20"
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and any(body.links,
12 (
13 .href_url.domain.domain == 't.info.samsungusa.com'
14 and .href_url.path =~ '/r/'
15 )
16 or (
17 .href_url.domain.root_domain == "samsung.com"
18 and strings.iends_with(.href_url.domain.subdomain, '.email')
19 and strings.icontains(.href_url.path, '/r/')
20 and strings.icontains(.href_url.query_params, 'id=')
21 and strings.icontains(.href_url.query_params, 'p1=')
22 // with redirects to google/doubleclick
23 and regex.icontains(.href_url.query_params,
24 'p1=[^\&]*(?:google\.|doubleclick\.net)'
25 )
26 )
27 )
28 and sender.email.domain.root_domain not in ('samsungusa.com', 'samsung.com')
29tags:
30 - "Attack surface reduction"
31attack_types:
32 - "Credential Phishing"
33 - "Malware/Ransomware"
34tactics_and_techniques:
35 - "Open redirect"
36detection_methods:
37 - "Sender analysis"
38 - "URL analysis"
39id: "164ece9a-26ca-5872-9604-7e948722d627"