← Back to Explore
sublimemediumRule
Open redirect: Samsung
Message contains use of the Samsung open redirect, but the sender is not Samsung.
Detection Query
type.inbound
and any(body.links,
(
.href_url.domain.domain == 't.info.samsungusa.com'
and .href_url.path =~ '/r/'
)
or (
.href_url.domain.root_domain == "samsung.com"
and strings.iends_with(.href_url.domain.subdomain, '.email')
and strings.icontains(.href_url.path, '/r/')
and strings.icontains(.href_url.query_params, 'id=')
and strings.icontains(.href_url.query_params, 'p1=')
// with redirects to google/doubleclick
and regex.icontains(.href_url.query_params,
'p1=[^\&]*(?:google\.|doubleclick\.net)'
)
)
)
and sender.email.domain.root_domain not in ('samsungusa.com', 'samsung.com')
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Attack surface reduction
Raw Content
name: "Open redirect: Samsung"
description: |
Message contains use of the Samsung open redirect, but the sender is not Samsung.
references:
- "https://twitter.com/ffforward/status/1232958609031598080?lang=en"
- "https://twitter.com/JCyberSec_/status/1238488919135715328?s=20"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
(
.href_url.domain.domain == 't.info.samsungusa.com'
and .href_url.path =~ '/r/'
)
or (
.href_url.domain.root_domain == "samsung.com"
and strings.iends_with(.href_url.domain.subdomain, '.email')
and strings.icontains(.href_url.path, '/r/')
and strings.icontains(.href_url.query_params, 'id=')
and strings.icontains(.href_url.query_params, 'p1=')
// with redirects to google/doubleclick
and regex.icontains(.href_url.query_params,
'p1=[^\&]*(?:google\.|doubleclick\.net)'
)
)
)
and sender.email.domain.root_domain not in ('samsungusa.com', 'samsung.com')
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Open redirect"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "164ece9a-26ca-5872-9604-7e948722d627"