• Sublime Core Feed
Medium Severity

Open Redirect (go2.aspx) leading to Microsoft credential phishing

Labels

Credential Phishing
Impersonation: Brand
Open redirect
Content analysis
Header analysis
URL analysis

Description

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// url path ends with go2.aspx
and any(body.links,
        strings.ends_with(.href_url.path, "go2.aspx")

        // query params from href_url or ml.link_analysis contain a redirection string ending with a base64
        // pattern intended to capture an encoded email passed as an additional parameter
        and (
          regex.contains(.href_url.query_params,
                         '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
          )
          or regex.icontains(ml.link_analysis(.).effective_url.query_params,
                             '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
          )
        )
)
and headers.mailer is null
and regex.icontains(body.html.inner_text, '(i͏c͏r͏os͏of͏|icrosof)|(office|o)\s?365')
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started