Open redirect: YouTube
Looks for use of the YouTube open redirect coming from someone other than YouTube.
Sublime rule (View on GitHub)
1name: "Open redirect: YouTube"
2description: |
3 Looks for use of the YouTube open redirect coming from someone other than YouTube.
4type: "rule"
5severity: "medium"
6authors:
7 - twitter: "vector_sec"
8source: |
9 type.inbound
10 and (
11 any(body.links,
12 .href_url.domain.sld == "youtube"
13 and (
14 strings.icontains(.href_url.url, "attribution_link?")
15 or .href_url.path == "/redirect"
16 )
17 )
18 or any(attachments,
19 (
20 .file_extension in~ $file_extensions_macros
21 or .file_extension in~ $file_extensions_common_archives
22 or (
23 .file_extension is null
24 and .file_type == "unknown"
25 and .content_type == "application/octet-stream"
26 and .size < 100000000
27 )
28 )
29 and any(file.oletools(.).relationships,
30 .name == "hyperlink"
31 and .target_url.domain.sld == "youtube"
32 and (
33 strings.icontains(.target_url.path, "attribution_link?")
34 or .target_url.path == "/redirect"
35 )
36 )
37 )
38 )
39 and headers.auth_summary.dmarc.details.from.root_domain == "youtube.com"
40
41 // negate highly trusted sender domains unless they fail DMARC authentication
42 and (
43 (
44 sender.email.domain.root_domain in $high_trust_sender_root_domains
45 and not headers.auth_summary.dmarc.pass
46 )
47 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48 )
49 and (
50 not profile.by_sender().solicited
51 or profile.by_sender().any_messages_malicious_or_spam
52 )
53
54tags:
55 - "Attack surface reduction"
56attack_types:
57 - "Credential Phishing"
58 - "Malware/Ransomware"
59tactics_and_techniques:
60 - "Open redirect"
61detection_methods:
62 - "Sender analysis"
63 - "URL analysis"
64id: "fb33bffe-d3db-5acb-ae19-5ddc6b5b0b01"