Open Redirect: tkqlhce.com

 1name: "Open Redirect: tkqlhce.com"
 2description: |
 3    Message contains use of the tkqlhce.com redirect. This has been exploited in the wild for phishing.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(body.links) < 10
 9  and any(body.links,
10          .href_url.domain.root_domain == "tkqlhce.com"
11          and (
12            (
13              strings.icontains(.href_url.query_params, 'url=')
14              and not regex.icontains(.href_url.query_params,
15                                   'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f)'
16              )
17            )
18            or
19            (
20              strings.icontains(.href_url.path, '/links/')
21              and strings.icontains(.href_url.path, '/type/dlg/')
22              and regex.icontains(.href_url.path, 'https?://')
23              and not regex.icontains(.href_url.path,
24                                    '/links/[^/]+/type/dlg/(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*tkqlhce\.com(?:\&|\/|$|%2f)'
25              )
26            )
27          )
28  )
29  and not sender.email.domain.root_domain == "tkqlhce.com"
30  
31  // negate highly trusted sender domains unless they fail DMARC authentication
32  and (
33    (
34      sender.email.domain.root_domain in $high_trust_sender_root_domains
35      and not headers.auth_summary.dmarc.pass
36    )
37    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38  )  
39attack_types:
40  - "Credential Phishing"
41  - "Malware/Ransomware"
42tactics_and_techniques:
43  - "Open redirect"
44detection_methods:
45  - "Sender analysis"
46  - "URL analysis"
47id: "44eef073-9264-53af-8a23-b2188295e238"