Open redirect: typedrawers.com

Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives.

Sublime rule (View on GitHub)

 1name: "Open redirect: typedrawers.com"
 2description: "Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any(body.links,
 9        .href_url.domain.root_domain == "typedrawers.com"
10        and .href_url.path == "/home/leaving"
11        and strings.icontains(.href_url.query_params, 'target=')
12    )
13    or any(attachments,
14           (
15             .file_type in $file_types_images
16             or .file_extension in $file_extensions_macros
17             or .file_type == "pdf"
18           )
19           and any(file.explode(.),
20                   .scan.qr.type == "url"
21                   and .scan.qr.url.domain.root_domain == "typedrawers.com"
22                   and .scan.qr.url.path == "/home/leaving"
23                   and strings.icontains(.scan.qr.url.query_params, 'target=')
24           )
25    )
26  )
27  
28  // negate highly trusted sender domains unless they fail DMARC authentication
29  and (
30    (
31      (
32        sender.email.domain.root_domain in $high_trust_sender_root_domains
33        or sender.email.domain.root_domain == "typedrawers.com"
34      )
35      and not headers.auth_summary.dmarc.pass
36    )
37    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38  )
39    
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Evasion"
44  - "Open redirect"
45  - "QR code"
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "File analysis"
50  - "QR code analysis"
51  - "Sender analysis"
52id: "158d9e95-4ce4-58c7-83ce-56e5942db1e6"
to-top