← Back to Explore
sublimehighRule
Open redirect: Shibboleth SSO Logout Return Parameter
Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence.
Detection Query
type.inbound
and any(body.links,
// uses shibboleth.sso directly within the path
(
strings.icontains(.href_url.path, '/Shibboleth.sso/Logout')
and strings.icontains(.href_url.path, 'return=')
)
// or url encoded within the query_params
or (
strings.icontains(.href_url.query_params, 'Shibboleth.sso%2fLogout')
and strings.icontains(.href_url.query_params, "return%3d")
)
)
and profile.by_sender_email().prevalence != "common"
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Open redirect: Shibboleth SSO Logout Return Parameter"
description: "Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence."
type: "rule"
severity: "high"
source: |
type.inbound
and any(body.links,
// uses shibboleth.sso directly within the path
(
strings.icontains(.href_url.path, '/Shibboleth.sso/Logout')
and strings.icontains(.href_url.path, 'return=')
)
// or url encoded within the query_params
or (
strings.icontains(.href_url.query_params, 'Shibboleth.sso%2fLogout')
and strings.icontains(.href_url.query_params, "return%3d")
)
)
and profile.by_sender_email().prevalence != "common"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Open redirect"
- "Evasion"
detection_methods:
- "HTML analysis"
- "URL analysis"
- "Sender analysis"
id: "374b7517-bb48-5fed-885c-16d27f561e55"