Open redirect: typedrawers.com
Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives.
Sublime rule (View on GitHub)
1name: "Open redirect: typedrawers.com"
2description: "Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(body.links,
9 .href_url.domain.root_domain == "typedrawers.com"
10 and .href_url.path == "/home/leaving"
11 and strings.icontains(.href_url.query_params, 'target=')
12 )
13 or any(attachments,
14 (
15 .file_type in $file_types_images
16 or .file_extension in $file_extensions_macros
17 or .file_type == "pdf"
18 )
19 and any(file.explode(.),
20 .scan.qr.type == "url"
21 and .scan.qr.url.domain.root_domain == "typedrawers.com"
22 and .scan.qr.url.path == "/home/leaving"
23 and strings.icontains(.scan.qr.url.query_params, 'target=')
24 )
25 )
26 )
27
28 // negate highly trusted sender domains unless they fail DMARC authentication
29 and (
30 (
31 (
32 sender.email.domain.root_domain in $high_trust_sender_root_domains
33 or sender.email.domain.root_domain == "typedrawers.com"
34 )
35 and not headers.auth_summary.dmarc.pass
36 )
37 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38 )
39
40attack_types:
41 - "Credential Phishing"
42tactics_and_techniques:
43 - "Evasion"
44 - "Open redirect"
45 - "QR code"
46 - "Social engineering"
47detection_methods:
48 - "Content analysis"
49 - "File analysis"
50 - "QR code analysis"
51 - "Sender analysis"
52id: "158d9e95-4ce4-58c7-83ce-56e5942db1e6"