EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Open redirect: whitefox.pl

Message contains use of the whitefox.pl open redirect. This has been exploited in the wild.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486

Detection Query

type.inbound
and any(body.links,
        .href_url.domain.domain == "demo.whitefox.pl"
        and strings.icontains(.href_url.path, '/Home/SetCulture')
        and strings.icontains(.href_url.query_params, 'cultureName=')
        and strings.icontains(.href_url.query_params, 'returnUrl=')
        and not regex.icontains(.href_url.query_params,
                                'returnUrl=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*whitefox\.pl(?:\&|\/|$|%2f)'
        )
)
and not sender.email.domain.root_domain == "whitefox.pl"

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Open redirect: whitefox.pl"
description: "Message contains use of the whitefox.pl open redirect. This has been exploited in the wild."
type: "rule"
severity: "medium"
source: |
    type.inbound
    and any(body.links,
            .href_url.domain.domain == "demo.whitefox.pl"
            and strings.icontains(.href_url.path, '/Home/SetCulture')
            and strings.icontains(.href_url.query_params, 'cultureName=')
            and strings.icontains(.href_url.query_params, 'returnUrl=')
            and not regex.icontains(.href_url.query_params,
                                    'returnUrl=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*whitefox\.pl(?:\&|\/|$|%2f)'
            )
    )
    and not sender.email.domain.root_domain == "whitefox.pl"
    
    // negate highly trusted sender domains unless they fail DMARC authentication
    and (
      (
        sender.email.domain.root_domain in $high_trust_sender_root_domains
        and not headers.auth_summary.dmarc.pass
      )
      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
    )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Open redirect"
detection_methods:
  - "Sender analysis"
  - "URL analysis"
  
id: "18b74a2a-b832-569f-8f1d-a974863c149a"