Open redirect: VK

Jan 12, 2026 · Attack surface reduction ·

Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open redirect: VK"
 2description: |
 3    Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.
 4type: "rule"
 5authors:
 6  - twitter: "vector_sec"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(body.links,
11          .href_url.domain.root_domain == 'vk.com'
12          and strings.iends_with(.href_url.path, '/away.php')
13  )
14  and sender.email.domain.root_domain != 'vk.com'  
15tags:
16  - "Attack surface reduction"
17attack_types:
18  - "Credential Phishing"
19  - "Malware/Ransomware"
20tactics_and_techniques:
21  - "Open redirect"
22detection_methods:
23  - "Sender analysis"
24  - "URL analysis"
25id: "6ebd6d42-b0d5-5585-a715-aa939097ed99"

Related rules

Attachment: 7z Archive Containing RAR File
Attachment: Any HTML file within archive (unsolicited)
Attachment: Archive containing disallowed file type
Attachment: EML with Encrypted ZIP
Attachment: Encrypted Microsoft Office file (unsolicited)