Open redirect: typedrawers.com

Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives.

Sublime rule (View on GitHub)

 1name: "Open redirect: typedrawers.com"
 2description: "Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any(body.links,
 9        .href_url.domain.root_domain == "typedrawers.com"
10        and .href_url.path == "/home/leaving"
11        and strings.icontains(.href_url.query_params, 'target=')
12    )
13    or any(attachments,
14           (
15             .file_type in $file_types_images
16             or .file_extension in $file_extensions_macros
17             or .file_type == "pdf"
18           )
19           and any(file.explode(.),
20                   .scan.qr.type == "url"
21                   and .scan.qr.url.domain.root_domain == "typedrawers.com"
22                   and .scan.qr.url.path == "/home/leaving"
23                   and strings.icontains(.scan.qr.url.query_params, 'target=')
24           )
25    )
26  )
27  and (
28    not profile.by_sender().solicited
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )
34  
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      (
39        sender.email.domain.root_domain in $high_trust_sender_root_domains
40        or sender.email.domain.root_domain == "typedrawers.com"
41      )
42      and not headers.auth_summary.dmarc.pass
43    )
44    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45  )
46    
47attack_types:
48  - "Credential Phishing"
49tactics_and_techniques:
50  - "Evasion"
51  - "Open redirect"
52  - "QR code"
53  - "Social engineering"
54detection_methods:
55  - "Content analysis"
56  - "File analysis"
57  - "QR code analysis"
58  - "Sender analysis"
59id: "158d9e95-4ce4-58c7-83ce-56e5942db1e6"
to-top