Open Redirect: whitefox.pl

 1name: "Open Redirect: whitefox.pl"
 2description: "Message contains use of the whitefox.pl open redirect. This has been exploited in the wild."
 3type: "rule"
 4severity: "medium"
 5source: |
 6    type.inbound
 7    and any(body.links,
 8            .href_url.domain.domain == "demo.whitefox.pl"
 9            and strings.icontains(.href_url.path, '/Home/SetCulture')
10            and strings.icontains(.href_url.query_params, 'cultureName=')
11            and strings.icontains(.href_url.query_params, 'returnUrl=')
12            and not regex.icontains(.href_url.query_params,
13                                  'returnUrl=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*whitefox\.pl(?:\&|\/|$|%2f)'
14            )
15    )
16    and not sender.email.domain.root_domain == "whitefox.pl"
17    
18    // negate highly trusted sender domains unless they fail DMARC authentication
19    and (
20      (
21        sender.email.domain.root_domain in $high_trust_sender_root_domains
22        and not headers.auth_summary.dmarc.pass
23      )
24      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
25    )    
26
27attack_types:
28  - "Credential Phishing"
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Open redirect"
32detection_methods:
33  - "Sender analysis"
34  - "URL analysis"
35  
36id: "18b74a2a-b832-569f-8f1d-a974863c149a"