Medium Severity

Open redirect (go2.aspx) leading to Microsoft credential phishing

Labels

Credential Phishing

Impersonation: Brand

Description

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// url path ends with go2.aspx
and any(body.links,
        strings.ends_with(.href_url.path, "go2.aspx")

        // query params from href_url or ml.link_analysis contain a redirection string ending with a base64
        // pattern intended to capture an encoded email passed as an additional parameter
        and (
          regex.contains(.href_url.query_params,
                         '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
          )
          or regex.icontains(ml.link_analysis(.).effective_url.query_params,
                             '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
          )
        )
)
and headers.mailer is null
and regex.icontains(body.html.inner_text,
                    '(i\x{034F}c\x{034F}r\x{034F}os\x{034F}of\x{034F}|icrosof)|(office|o)\s?365'
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.