Open Redirect: YouTube --> Google Redirection Chain

calendar Jan 15, 2025  ยท
Share on: linkedin copy

Message contains use of a redirect chain which involves YouTube and Google amp. This has been exploited in the wild.

Sublime rule (View on GitHub)

 1name: "Open Redirect: YouTube --> Google Redirection Chain"
 2description: |
 3    Message contains use of a redirect chain which involves YouTube and Google amp. This has been exploited in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(body.links,
 9          (
10            .href_url.domain.root_domain == "youtube.com"
11            and strings.icontains(.href_url.path, 'logout')
12            // the redirect field
13            and strings.icontains(.href_url.query_params, "continue=")
14            and regex.icontains(.href_url.query_params, '&continue=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?google\.com[^\&]*\/+amp\/+s\/+')
15          )
16  )  
17attack_types:
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Open redirect"
21detection_methods:
22  - "Sender analysis"
23  - "URL analysis"
24id: "67823fac-cb03-5aea-a8ff-782e2e8c42d4"
to-top