Sync from PR#2370

Create open_redirect_spiceworks.yml by @zoomequipd #2370 Source SHA 276e8ec Triggered by @zoomequipd
sublime-security · Feb 3, 2025 · 132b4ea · 132b4ea
1 parent 0dec5bc
commit 132b4ea
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/detection-rules/open_redirect_spiceworks.yml b/detection-rules/open_redirect_spiceworks.yml
@@ -0,0 +1,35 @@
+name: "Open Redirect: mail.spiceworks.com"
+description: |
+  Message contains use of the mail.spiceworks.com redirect. This has been exploited in the wild.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.domain == "mail.spiceworks.com"
+          and strings.icontains(.href_url.query_params, '_externalContentRedirect')
+          and not strings.icontains(.href_url.query_params,
+                                    '_externalContentRedirect=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*spiceworks\.com(?:\&|\/|$)'
+          )
+  )
+  and not sender.email.domain.root_domain == "spiceworks.com"
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Open redirect"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"
+id: "eb97defd-e636-56d9-b2de-c5e41947d7e5"
+testing_pr: 2370
+testing_sha: 276e8ec8ef35d645956dbd22d58c44bca38d2e20