Open redirect: typedrawers.com
Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives.
Sublime rule (View on GitHub)
1name: "Open redirect: typedrawers.com"
2description: "Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(body.links,
9 .href_url.domain.root_domain == "typedrawers.com"
10 and .href_url.path == "/home/leaving"
11 and strings.icontains(.href_url.query_params, 'target=')
12 )
13 or any(attachments,
14 (
15 .file_type in $file_types_images
16 or .file_extension in $file_extensions_macros
17 or .file_type == "pdf"
18 )
19 and any(file.explode(.),
20 .scan.qr.type == "url"
21 and .scan.qr.url.domain.root_domain == "typedrawers.com"
22 and .scan.qr.url.path == "/home/leaving"
23 and strings.icontains(.scan.qr.url.query_params, 'target=')
24 )
25 )
26 )
27 and (
28 not profile.by_sender().solicited
29 or (
30 profile.by_sender().any_messages_malicious_or_spam
31 and not profile.by_sender().any_false_positives
32 )
33 )
34
35 // negate highly trusted sender domains unless they fail DMARC authentication
36 and (
37 (
38 (
39 sender.email.domain.root_domain in $high_trust_sender_root_domains
40 or sender.email.domain.root_domain == "typedrawers.com"
41 )
42 and not headers.auth_summary.dmarc.pass
43 )
44 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45 )
46
47attack_types:
48 - "Credential Phishing"
49tactics_and_techniques:
50 - "Evasion"
51 - "Open redirect"
52 - "QR code"
53 - "Social engineering"
54detection_methods:
55 - "Content analysis"
56 - "File analysis"
57 - "QR code analysis"
58 - "Sender analysis"
59id: "158d9e95-4ce4-58c7-83ce-56e5942db1e6"