← Back to Explore
sublimehighRule
Open redirect: Nested Doubleclick.net
Doubleclick.net link leveraging a nested doubleclick.net open redirect from a new or outlier sender. The unusual behavior of nesting a doubleclick URL inside another doubleclick link warrants increasing the severity of this rule.
Detection Query
type.inbound
and length(body.links) < 10
and any(body.links,
.href_url.domain.root_domain == "doubleclick.net"
and (
strings.icontains(.href_url.path, "/aclk")
or strings.icontains(.href_url.path, "/pcs/click")
or strings.icontains(.href_url.path, "/searchads/link/click")
)
and regex.icontains(.href_url.query_params,
'&(?:adurl|ds_dest_url)=(?:https?(\:|%3a))?(?:\/|%2f)(?:\/|%2f)adclick.g.doubleclick.net'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Open redirect: Nested Doubleclick.net"
description: "Doubleclick.net link leveraging a nested doubleclick.net open redirect from a new or outlier sender. The unusual behavior of nesting a doubleclick URL inside another doubleclick link warrants increasing the severity of this rule."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.links) < 10
and any(body.links,
.href_url.domain.root_domain == "doubleclick.net"
and (
strings.icontains(.href_url.path, "/aclk")
or strings.icontains(.href_url.path, "/pcs/click")
or strings.icontains(.href_url.path, "/searchads/link/click")
)
and regex.icontains(.href_url.query_params,
'&(?:adurl|ds_dest_url)=(?:https?(\:|%3a))?(?:\/|%2f)(?:\/|%2f)adclick.g.doubleclick.net'
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Open redirect"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "bbed5cc6-4c39-5a53-9255-269cbd4e27cb"