• Sublime Core Feed
High Severity

Open Redirect: Shibboleth SSO Logout Return Parameter

Labels

Credential Phishing
Open redirect
Evasion
HTML analysis
URL analysis
Sender analysis

Description

Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence.

References

No references.

Sublime Security
Created Mar 18th, 2025 • Last updated Mar 18th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(body.links,
        // uses shibboleth.sso directly within the path
        (
          strings.icontains(.href_url.path, '/Shibboleth.sso/Logout')
          and strings.icontains(.href_url.path, 'return=')
        )
        // or url encoded within the query_params
        or (
          strings.icontains(.href_url.query_params, 'Shibboleth.sso%2fLogout')
          and strings.icontains(.href_url.query_params, "return%3d")
        )
)

and profile.by_sender_email().prevalence != "common"
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started