Open redirect: slubnaglowie.pl
Message contains use of a slubnaglowie.pl redirect. This redirection has been abused by threat actors in the wild.
Sublime rule (View on GitHub)
1name: "Open redirect: slubnaglowie.pl"
2description: "Message contains use of a slubnaglowie.pl redirect. This redirection has been abused by threat actors in the wild."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.root_domain == "slubnaglowie.pl"
9 and .href_url.path == "/przejdz" // "to go" or "to move/proceed" in Polish
10 and strings.icontains(.href_url.query_params, 'url=')
11 )
12
13 // negate highly trusted sender domains unless they fail DMARC authentication
14 and (
15 (
16 (
17 sender.email.domain.root_domain in $high_trust_sender_root_domains
18 or sender.email.domain.root_domain == "slubnaglowie.pl"
19 )
20 and not headers.auth_summary.dmarc.pass
21 )
22 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
23 )
24attack_types:
25 - "Credential Phishing"
26tactics_and_techniques:
27 - "Evasion"
28 - "Open redirect"
29 - "Social engineering"
30detection_methods:
31 - "Content analysis"
32 - "Header analysis"
33 - "Sender analysis"
34 - "URL analysis"
35id: "2ec356d0-d7d8-5997-acd4-3118accc6e02"