Description

Detects inbound messages containing links that abuse Diesel.az's open redirect functionality at '/az/redirect', where the 'url' query parameter points to an external domain. The rule flags messages where the sender is not from diesel.az and the redirect destination leads outside of the diesel.az domain.

References

No references.

Sublime Security
Created Jul 14th, 2026 • Last updated Jul 14th, 2026
Source
type.inbound
and any(body.links,
        .href_url.domain.root_domain == "diesel.az"
        and strings.istarts_with(.href_url.path, '/az/redirect')
        and length(.href_url.query_params_decoded["url"]) > 0
        // redirect is not going back to diesel.az
        and not any(.href_url.query_params_decoded["url"],
                    strings.parse_url(.).domain.root_domain == "diesel.az"
        )
)
and not (
  sender.email.domain.root_domain == "diesel.az"
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started