sublimemediumRule

Open redirect: HHS

Looks for use of the HHS open redirect.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486

Detection Query

type.inbound
and any(body.links,
        .href_url.domain.domain == 'dcis.hhs.gov'
        and strings.ilike(.href_url.query_params, '*service*')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/

Raw Content

name: "Open redirect: HHS"
description: |
  Looks for use of the HHS open redirect.
references:
  - "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.domain == 'dcis.hhs.gov'
          and strings.ilike(.href_url.query_params, '*service*')
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Open redirect"
detection_methods:
  - "Sender analysis"
  - "URL analysis"
id: "c2d8cda9-358e-5856-93a7-8e76d1ab1df5"