Open redirect: tkqlhce.com

 1name: "Open redirect: tkqlhce.com"
 2description: |
 3    Message contains use of the tkqlhce.com redirect. This has been exploited in the wild for phishing.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(body.links) < 10
 9  and any(body.links,
10          .href_url.domain.root_domain == "tkqlhce.com"
11          and (
12            (
13              strings.icontains(.href_url.query_params, 'url=')
14              and not regex.icontains(.href_url.query_params,
15                                      'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f)'
16              )
17            )
18            or (
19              strings.icontains(.href_url.path, '/links/')
20              and strings.icontains(.href_url.path, '/type/dlg/')
21              and regex.icontains(.href_url.path, 'https?://')
22              and not regex.icontains(.href_url.path,
23                                      '/links/[^/]+/type/dlg/(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f)'
24              )
25            )
26          )
27  )
28  and not sender.email.domain.root_domain == "tkqlhce.com"
29  
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and not headers.auth_summary.dmarc.pass
35    )
36    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
37  )  
38attack_types:
39  - "Credential Phishing"
40  - "Malware/Ransomware"
41tactics_and_techniques:
42  - "Open redirect"
43detection_methods:
44  - "Sender analysis"
45  - "URL analysis"
46id: "44eef073-9264-53af-8a23-b2188295e238"