From 3978fbaa8b94557bd887d0bf54771a0cf36e24fb Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 4 Aug 2023 03:34:39 +0000
Subject: [PATCH] Sync from PR#604

Adding PDF scanning to LinkedIn open redirect rule by @aidenmitchell
https://github.com/sublime-security/sublime-rules/pull/604
Source SHA 5e9607399c93fbce8b756095bd9c450318638ef4
Triggered by @jkamdjou
---
 detection-rules/open_redirect_linkedin.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 detection-rules/open_redirect_linkedin.yml

diff --git a/detection-rules/open_redirect_linkedin.yml b/detection-rules/open_redirect_linkedin.yml
new file mode 100644
index 00000000000..5f27131c420
--- /dev/null
+++ b/detection-rules/open_redirect_linkedin.yml
@@ -0,0 +1,15 @@
+name: "Open redirect: Linkedin"
+description: "Detects emails containing links using Linkedin '/slink?code=xxxxx' open redirect where the email has not come from Linkedin.com"
+references:
+  - "https://krebsonsecurity.com/2022/02/how-phishers-are-slinking-their-links-into-linkedin/"
+type: "rule"
+authors:
+  - twitter: "xNymia"
+severity: "medium"
+source: "type.inbound\nand (\n    (\n        sender.email.domain.root_domain != \"linkedin.com\"\n        and any(body.links, .href_url.domain.root_domain == 'linkedin.com' and .href_url.path == '/slink')\n        and any(body.links, strings.ilike(.href_url.query_params, 'code=*'))\n    )\n    or any(attachments, .file_type == \"pdf\"\n        and any(file.explode(.), \n            any(.scan.url.urls, .domain.root_domain == 'linkedin.com' and .path == '/slink')\n            and any(.scan.url.urls, strings.ilike(.query_params, 'code=*'))\n        )\n    )\n)\n"
+tags:
+  - "Open redirect"
+  - "Suspicious link"
+id: "5ad2ffae-fca7-58ff-90bd-8efbd98c0a72"
+testing_pr: 604
+testing_sha: 5e9607399c93fbce8b756095bd9c450318638ef4