← Back to Explore
sublimemediumRule
Attachment: Link to Doubleclick.net open redirect
Doubleclick.net link in a document leveraging an open redirect from a new or outlier sender.
Detection Query
type.inbound
and length(body.links) == 0
and any(attachments,
(.file_type in ("pdf", "doc", "docx"))
and any(file.explode(.),
any(.scan.url.urls,
.domain.root_domain == "doubleclick.net"
and (
strings.icontains(.path, "/aclk")
or strings.icontains(.path, "/pcs/click")
or strings.icontains(.path, "/searchads/link/click")
)
and regex.icontains(.query_params,
'&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
)
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Link to Doubleclick.net open redirect"
description: "Doubleclick.net link in a document leveraging an open redirect from a new or outlier sender."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.links) == 0
and any(attachments,
(.file_type in ("pdf", "doc", "docx"))
and any(file.explode(.),
any(.scan.url.urls,
.domain.root_domain == "doubleclick.net"
and (
strings.icontains(.path, "/aclk")
or strings.icontains(.path, "/pcs/click")
or strings.icontains(.path, "/searchads/link/click")
)
and regex.icontains(.query_params,
'&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
)
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Open redirect"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "URL analysis"
id: "506c16cc-a9b8-5b92-88ff-7fc9b6a89086"