Open redirect: api.spently.com

 1name: "Open redirect: api.spently.com"
 2description: |
 3    Message contains use of the api.spently.com redirect. This has been exploited in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  // there are less than 10 unique links for api.spently.com within the body.links
 9  and length(distinct(filter(body.links,
10                             .href_url.domain.domain == "api.spently.com"
11                      ),
12                      .href_url.url
13             )
14  ) < 10
15  and any(body.links,
16          .href_url.domain.domain == "api.spently.com"
17          and strings.istarts_with(.href_url.path, '/api/spently/click')
18          and strings.icontains(.href_url.query_params, 'url=')
19          and strings.icontains(.href_url.query_params, 'type=')
20          and not regex.icontains(.href_url.query_params,
21                                  'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*spently\.com(?:\&|\/|$|%2f)'
22          )
23  )
24  and not sender.email.domain.root_domain == "spently.com"
25  
26  // negate highly trusted sender domains unless they fail DMARC authentication
27  and (
28    (
29      sender.email.domain.root_domain in $high_trust_sender_root_domains
30      and not headers.auth_summary.dmarc.pass
31    )
32    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33  )  
34attack_types:
35  - "Credential Phishing"
36  - "Malware/Ransomware"
37tactics_and_techniques:
38  - "Open redirect"
39detection_methods:
40  - "Sender analysis"
41  - "URL analysis"
42id: "69740e97-265f-515b-b5ae-80ec234f07ac"