Open Redirect: Xfinity CMP Redirection to Google AMP

calendar May 23, 2025  ·
Share on: linkedin copy

Detects when non-Xfinity senders abuse Xfinity's CMP redirection service to reach Google AMP pages. The rule specifically looks for targetURL parameters containing Google AMP paths in links from untrusted or previously malicious senders.

Sublime rule (View on GitHub)

 1name: "Open Redirect: Xfinity CMP Redirection to Google AMP"
 2description: "Detects when non-Xfinity senders abuse Xfinity's CMP redirection service to reach Google AMP pages. The rule specifically looks for targetURL parameters containing Google AMP paths in links from untrusted or previously malicious senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "cmp.cws.xfinity.com"
 9          and strings.icontains(.href_url.query_params, "&targetURL=")
10          and regex.icontains(.href_url.query_params,
11                              '&targetUrl=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?google\.[^\&]*\/+amp\/+s\/+'
12          )
13  )
14  and not sender.email.domain.root_domain in ("xfinity.com", "comcast.net")
15  
16  // negate highly trusted sender domains unless they fail DMARC authentication
17  and (
18    (
19      sender.email.domain.root_domain in $high_trust_sender_root_domains
20      and not headers.auth_summary.dmarc.pass
21    )
22    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
23  )  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Open redirect"
28  - "Evasion"
29detection_methods:
30  - "Header analysis"
31  - "URL analysis"
32  - "Sender analysis"
33id: "c0805b80-0524-5278-8848-f720d58571c2"
to-top