Open redirect: Signature Travel Network
Message contains use of the Signature Travel Network open redirect, but the sender is not Signature Travel Network. This has been exploited in the wild.
Sublime rule (View on GitHub)
1name: "Open redirect: Signature Travel Network"
2description: "Message contains use of the Signature Travel Network open redirect, but the sender is not Signature Travel Network. This has been exploited in the wild."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.root_domain == 'sigtn.com'
9 and strings.iends_with(.href_url.path, "emt.cfm")
10 and strings.icontains(.href_url.query_params, "link=")
11 )
12 and sender.email.domain.root_domain not in (
13 'signaturetravelnetwork.com',
14 'sigtn.com'
15 )
16 and not any(headers.domains, .root_domain == "signaturetravelnetwork.com")
17
18 // negate highly trusted sender domains unless they fail DMARC authentication
19 and (
20 (
21 sender.email.domain.root_domain in $high_trust_sender_root_domains
22 and not headers.auth_summary.dmarc.pass
23 )
24 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
25 )
26attack_types:
27 - "Credential Phishing"
28tactics_and_techniques:
29 - "Open redirect"
30detection_methods:
31 - "Sender analysis"
32 - "URL analysis"
33id: "c92e3202-4dae-52ce-b9bd-2d7722c8e72d"