Open redirect: Signature Travel Network

calendar Sep 11, 2024  ยท
Share on: linkedin copy

Message contains use of the Signature Travel Network open redirect, but the sender is not Signature Travel Network. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open redirect: Signature Travel Network"
 2description: "Message contains use of the Signature Travel Network open redirect, but the sender is not Signature Travel Network. This has been exploited in the wild."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.root_domain == 'sigtn.com'
 9          and strings.iends_with(.href_url.path, "emt.cfm")
10          and strings.icontains(.href_url.query_params, "link=")
11  )
12  and sender.email.domain.root_domain not in (
13    'signaturetravelnetwork.com',
14    'sigtn.com'
15  )
16  and not any(headers.domains, .root_domain == "signaturetravelnetwork.com")
17  and (
18    not profile.by_sender().solicited
19    or (
20      profile.by_sender().any_messages_malicious_or_spam
21      and not profile.by_sender().any_false_positives
22    )
23  )
24  
25  // negate highly trusted sender domains unless they fail DMARC authentication
26  and (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and not headers.auth_summary.dmarc.pass
30    )
31    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Open redirect"
37detection_methods:
38  - "Sender analysis"
39  - "URL analysis"
40id: "c92e3202-4dae-52ce-b9bd-2d7722c8e72d"
to-top