← Back to Explore
sublimemediumRule
Open redirect: MSN
Message uses an MSN open redirect. Sample (benign) redirect to sublimesecurity[.]com: https[:]//www[.]msn[.]com/en-gb/lifestyle/rf-best-products-uk/redirect?url=aHR0cHM6Ly93d3cuc3VibGltZXNlY3VyaXR5LmNvbQ==
Detection Query
type.inbound
and any(body.links,
.href_url.domain.root_domain == "msn.com"
and .href_url.path =~ "/en-gb/lifestyle/rf-best-products-uk/redirect"
and strings.icontains(.href_url.query_params, "url")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Open redirect: MSN"
description: |
Message uses an MSN open redirect.
Sample (benign) redirect to sublimesecurity[.]com:
https[:]//www[.]msn[.]com/en-gb/lifestyle/rf-best-products-uk/redirect?url=aHR0cHM6Ly93d3cuc3VibGltZXNlY3VyaXR5LmNvbQ==
references:
- "https://twitter.com/jkamdjou/status/1601589501880840192?s=20&t=pUzE5E8sd1UXKh1eUEASiQ"
- "https://playground.sublimesecurity.com?id=68cbab41-abd0-47e5-90ac-7cd5cd65e85c"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
.href_url.domain.root_domain == "msn.com"
and .href_url.path =~ "/en-gb/lifestyle/rf-best-products-uk/redirect"
and strings.icontains(.href_url.query_params, "url")
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Open redirect"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "0e0a691a-3bf9-573a-82dd-96b4ef8f96c5"