Open redirect: VK

Dec 20, 2023 · Attack surface reduction ·

Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open redirect: VK"
 2description: |
 3    Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.
 4type: "rule"
 5authors:
 6  - twitter: "vector_sec"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(body.links, .href_url.domain.root_domain == 'vk.com' and .href_url.path =~ '/away.php')
11  and sender.email.domain.root_domain != 'vk.com'  
12tags:
13  - "Attack surface reduction"
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Open redirect"
19detection_methods:
20  - "Sender analysis"
21  - "URL analysis"
22id: "6ebd6d42-b0d5-5585-a715-aa939097ed99"

Related rules

Link to a Domain with Punycode Characters
Open redirect: Linkedin
Open redirect: Panera Bread
Open redirect: Samsung
Open redirect: Slack