Open Redirect: amaterasu-for-website-5.com
Detects messages containing amaterasu-for-website-5.com redirect links that use the url parameter to redirect users to malicious sites. This has been observed in phishing campaigns.
Sublime rule (View on GitHub)
1name: "Open Redirect: amaterasu-for-website-5.com"
2description: |
3 Detects messages containing amaterasu-for-website-5.com redirect links that use the url
4 parameter to redirect users to malicious sites. This has been observed in phishing campaigns.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9 and any(body.links,
10 // Look for website-5 URLs
11 .href_url.domain.domain == "api.amaterasu-for-website-5.com"
12 and strings.icontains(.href_url.query_params, 'url=')
13 // Make sure it's not redirecting back to website-5.com domains
14 and not regex.icontains(.href_url.query_params, 'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*website-5\.com(?:\&|\/|$|%2f)')
15 )
16 // Exclude legitimate website-5 domains as senders
17 and not sender.email.domain.root_domain == "website-5.com"
18 and not sender.email.domain.root_domain == "amaterasu-for-website-5.com"
19
20 // negate highly trusted sender domains unless they fail DMARC authentication
21 and (
22 (
23 sender.email.domain.root_domain in $high_trust_sender_root_domains
24 and not headers.auth_summary.dmarc.pass
25 )
26 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
27 )
28attack_types:
29 - "Credential Phishing"
30 - "Malware/Ransomware"
31tactics_and_techniques:
32 - "Open redirect"
33detection_methods:
34 - "Sender analysis"
35 - "URL analysis"
36id: "d31f7cb8-1b75-53ef-b466-7d677392660b"