Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create open_redirect_typedrawers.yml #2133

Merged
merged 2 commits into from
Nov 26, 2024
Merged

Create open_redirect_typedrawers.yml #2133

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
76c832b
Create open_redirect_typedrawers.yml
aidenmitchell Nov 19, 2024
2447b75
Auto add rule ID
Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions detection-rules/open_redirect_typedrawers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: "Open redirect: typedrawers.com"
description: "Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
any(body.links,
.href_url.domain.root_domain == "typedrawers.com"
and .href_url.path == "/home/leaving"
and strings.icontains(.href_url.query_params, 'target=')
)
or any(attachments,
(
.file_type in $file_types_images
or .file_extension in $file_extensions_macros
or .file_type == "pdf"
)
and any(file.explode(.),
.scan.qr.type == "url"
and .scan.qr.url.domain.root_domain == "typedrawers.com"
and .scan.qr.url.path == "/home/leaving"
and strings.icontains(.scan.qr.url.query_params, 'target=')
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain == "typedrawers.com"
)
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Open redirect"
- "QR code"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "QR code analysis"
- "Sender analysis"
id: "158d9e95-4ce4-58c7-83ce-56e5942db1e6"