EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Open redirect (go2.aspx) leading to Microsoft credential phishing

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound

// url path ends with go2.aspx
and any(body.links,
        strings.ends_with(.href_url.path, "go2.aspx")

        // query params from href_url or ml.link_analysis contain a redirection string ending with a base64
        // pattern intended to capture an encoded email passed as an additional parameter
        and (
          regex.contains(.href_url.query_params,
                         '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
          )
          or regex.icontains(ml.link_analysis(.).effective_url.query_params,
                             '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
          )
        )
)
and headers.mailer is null
and regex.icontains(body.html.inner_text,
                    '(i\x{034F}c\x{034F}r\x{034F}os\x{034F}of\x{034F}|icrosof)|(office|o)\s?365'
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Open redirect (go2.aspx) leading to Microsoft credential phishing"
description: |
  This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as
  Microsoft-related emails.
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // url path ends with go2.aspx
  and any(body.links,
          strings.ends_with(.href_url.path, "go2.aspx")
  
          // query params from href_url or ml.link_analysis contain a redirection string ending with a base64
          // pattern intended to capture an encoded email passed as an additional parameter
          and (
            regex.contains(.href_url.query_params,
                           '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
            )
            or regex.icontains(ml.link_analysis(.).effective_url.query_params,
                               '[a-z]=[a-z0-9-]+\.[a-z]{2,3}.+[A-Za-z0-9+/=]$|=[^=]$|={3,}$'
            )
          )
  )
  and headers.mailer is null
  and regex.icontains(body.html.inner_text,
                      '(i\x{034F}c\x{034F}r\x{034F}os\x{034F}of\x{034F}|icrosof)|(office|o)\s?365'
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Open redirect"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "URL analysis"
id: "51667096-1628-5113-809b-97155a03eadf"