diff --git a/detection-rules/open_redirect_typedrawers.yml b/detection-rules/open_redirect_typedrawers.yml new file mode 100644 index 00000000000..994ad00b6cd --- /dev/null +++ b/detection-rules/open_redirect_typedrawers.yml @@ -0,0 +1,59 @@ +name: "Open redirect: typedrawers.com" +description: "Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + any(body.links, + .href_url.domain.root_domain == "typedrawers.com" + and .href_url.path == "/home/leaving" + and strings.icontains(.href_url.query_params, 'target=') + ) + or any(attachments, + ( + .file_type in $file_types_images + or .file_extension in $file_extensions_macros + or .file_type == "pdf" + ) + and any(file.explode(.), + .scan.qr.type == "url" + and .scan.qr.url.domain.root_domain == "typedrawers.com" + and .scan.qr.url.path == "/home/leaving" + and strings.icontains(.scan.qr.url.query_params, 'target=') + ) + ) + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + or sender.email.domain.root_domain == "typedrawers.com" + ) + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Open redirect" + - "QR code" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "QR code analysis" + - "Sender analysis" +id: "158d9e95-4ce4-58c7-83ce-56e5942db1e6"