EXPLORE
← Back to Explore
sublimemediumRule

Open redirect: Mailtrack Korea

Detects messages containing links to mailtrack.ksd.or.kr tracking service that redirect to external domains, potentially bypassing security controls through the legitimate Korean mail tracking infrastructure.

Detection Query

type.inbound
and any(body.links,
        .href_url.domain.domain == "mailtrack.ksd.or.kr"
        and .href_url.path == "/TMS/tracking"
        and "url" in~ keys(.href_url.query_params_decoded)
        and not any(regex.iextract(.href_url.query_params,
                                   'url=([^&]+)(?:\&|\/|$)'
                    ),
                    strings.parse_url(.groups[0]).domain.root_domain == ..href_url.domain.root_domain
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Open redirect: Mailtrack Korea"
description: "Detects messages containing links to mailtrack.ksd.or.kr tracking service that redirect to external domains, potentially bypassing security controls through the legitimate Korean mail tracking infrastructure."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.domain == "mailtrack.ksd.or.kr"
          and .href_url.path == "/TMS/tracking"
          and "url" in~ keys(.href_url.query_params_decoded)
          and not any(regex.iextract(.href_url.query_params,
                                     'url=([^&]+)(?:\&|\/|$)'
                      ),
                      strings.parse_url(.groups[0]).domain.root_domain == ..href_url.domain.root_domain
          )
  )
attack_types:
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Open redirect"
  - "Evasion"
detection_methods:
  - "URL analysis"
id: "73210da5-12ca-5ebf-9135-edb5022ed6cb"