Open redirect: VK

Jul 9, 2024 · Attack surface reduction ·

Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open redirect: VK"
 2description: |
 3    Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.
 4type: "rule"
 5authors:
 6  - twitter: "vector_sec"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(body.links, .href_url.domain.root_domain == 'vk.com' and strings.iends_with(.href_url.path, '/away.php'))
11  and sender.email.domain.root_domain != 'vk.com'  
12tags:
13  - "Attack surface reduction"
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Open redirect"
19detection_methods:
20  - "Sender analysis"
21  - "URL analysis"
22id: "6ebd6d42-b0d5-5585-a715-aa939097ed99"

Related rules

Link: Secure SharePoint file share from new or unusual sender
Link: Free Subdomain host with undisclosed recipients
VIP / Executive impersonation in subject (untrusted)
Twitter infrastructure abuse via link shortener
VIP / Executive impersonation (untrusted)