• Sublime Core Feed
High Severity

Open redirect: Nested Doubleclick.net

Labels

Credential Phishing
Malware/Ransomware
Open redirect
Sender analysis
URL analysis

Description

Doubleclick.net link leveraging a nested doubleclick.net open redirect from a new or outlier sender. The unusual behavior of nesting a doubleclick URL inside another doubleclick link warrants increasing the severity of this rule.

References

No references.

Sublime Security
Created Jul 17th, 2024 • Last updated Jul 17th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.links) < 10
and any(body.links,
        .href_url.domain.root_domain == "doubleclick.net"
        and (
          strings.icontains(.href_url.path, "/aclk")
          or strings.icontains(.href_url.path, "/pcs/click")
          or strings.icontains(.href_url.path, "/searchads/link/click")
        )
  and regex.icontains(.href_url.query_params, '&(?:adurl|ds_dest_url)=(?:https?(\:|%3a))?(?:\/|%2f)(?:\/|%2f)adclick.g.doubleclick.net')
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started