High Severity
Attachment: Calendar invite with suspicious link leading to an open redirect
Description
Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.
References
No references.
Sublime Security
Created Mar 26th, 2024 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
and any(file.explode(.),
any(.scan.url.urls,
(
.domain.domain in $free_file_hosts
or (
.domain.root_domain in $free_subdomain_hosts
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and .domain.subdomain != "www"
)
)
and any(ml.link_analysis(.).final_dom.links,
any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.