Open redirect: YouTube
Looks for use of the YouTube open redirect coming from someone other than YouTube.
Sublime rule (View on GitHub)
1name: "Open redirect: YouTube"
2description: |
3 Looks for use of the YouTube open redirect coming from someone other than YouTube.
4type: "rule"
5severity: "medium"
6authors:
7 - twitter: "vector_sec"
8source: |
9 type.inbound
10 and any(body.links,
11 .href_url.domain.root_domain == "youtube.com"
12 and strings.icontains(.href_url.url, "attribution_link?")
13 )
14 and (
15 any(distinct(headers.hops, .authentication_results.dmarc is not null),
16 .authentication_results.dmarc_details.from.domain != "youtube.com"
17 )
18 )
19
20 // negate highly trusted sender domains unless they fail DMARC authentication
21 and (
22 (
23 sender.email.domain.root_domain in $high_trust_sender_root_domains
24 and (
25 any(distinct(headers.hops, .authentication_results.dmarc is not null),
26 strings.ilike(.authentication_results.dmarc, "*fail")
27 )
28 )
29 )
30 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31 )
32 and (
33 not profile.by_sender().solicited
34 or profile.by_sender().any_messages_malicious_or_spam
35 )
36
37tags:
38 - "Attack surface reduction"
39attack_types:
40 - "Credential Phishing"
41 - "Malware/Ransomware"
42tactics_and_techniques:
43 - "Open redirect"
44detection_methods:
45 - "Sender analysis"
46 - "URL analysis"
47id: "fb33bffe-d3db-5acb-ae19-5ddc6b5b0b01"