• Sublime Core Feed
Medium Severity

Attachment: Link to Doubleclick.net Open Redirect

Labels

BEC/Fraud
Credential Phishing
Evasion
Open redirect
Social engineering
Content analysis
File analysis
URL analysis

Description

Doubleclick.net link in a document leveraging an open redirect from a new or outlier sender.

References

No references.

Sublime Security
Created Oct 24th, 2024 • Last updated Oct 24th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.links) == 0
and any(attachments,
        (.file_type in ("pdf", "doc", "docx"))
        and any(file.explode(.),
                any(.scan.url.urls,
                    .domain.root_domain == "doubleclick.net"
                    and (
                      strings.icontains(.path, "/aclk")
                      or strings.icontains(.path, "/pcs/click")
                      or strings.icontains(.path, "/searchads/link/click")
                    )
                    and regex.icontains(.query_params,
                                        '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
                    )
                )
        )
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started