← Back to Explore
sublimemediumRule
Open redirect: Doubleclick.net
Doubleclick.net link leveraging an open redirect from a new or outlier sender.
Detection Query
type.inbound
and length(body.links) < 10
and any(body.links,
.href_url.domain.root_domain == "doubleclick.net"
and (
strings.icontains(.href_url.path, "/aclk")
or strings.icontains(.href_url.path, "/pcs/click")
or strings.icontains(.href_url.path, "/searchads/link/click")
)
and regex.icontains(.href_url.query_params,
'&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Open redirect: Doubleclick.net"
description: Doubleclick.net link leveraging an open redirect from a new or outlier sender.
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.links) < 10
and any(body.links,
.href_url.domain.root_domain == "doubleclick.net"
and (
strings.icontains(.href_url.path, "/aclk")
or strings.icontains(.href_url.path, "/pcs/click")
or strings.icontains(.href_url.path, "/searchads/link/click")
)
and regex.icontains(.href_url.query_params,
'&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Open redirect"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "9c620146-2e0e-5cbb-96fc-fea27236117c"