Medium Severity
Open Redirect: obunsha.co.jp
Description
Detects messages containing Obunsha's passnavi redirect service that can be exploited to redirect users to malicious sites. This has been used in phishing campaigns.
References
No references.
Sublime Security
Created Mar 18th, 2025 • Last updated Mar 18th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
// Look for Obunsha passnavi URLs
.href_url.domain.domain == "passnavi.obunsha.co.jp"
and strings.icontains(.href_url.path, '/ct.html')
and strings.icontains(.href_url.query_params, 'uri=')
// Make sure it's not redirecting back to obunsha domains
and not regex.icontains(.href_url.query_params, 'uri=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*obunsha\.co\.jp(?:\&|\/|$|%2f)')
)
// Exclude legitimate Obunsha domains as senders
and not sender.email.domain.root_domain == "obunsha.co.jp"
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.