← Back to Explore
sublimemediumRule
Open redirect: Klaviyo
Message contains use of the Klaviyo (kmail-lists.com) open redirect, but the link display text does not match known permutations. This has been exploited in the wild.
Detection Query
type.inbound
and any(body.links,
.href_url.domain.domain == 'manage.kmail-lists.com'
and .href_url.path =~ '/subscriptions/subscribe/update'
and strings.icontains(.href_url.query_params, 'r=')
and not strings.ilike(.display_text, "*subscribe*", "*manage*")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Open redirect: Klaviyo"
description: "Message contains use of the Klaviyo (kmail-lists.com) open redirect, but the link display text does not match known permutations. This has been exploited in the wild."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
.href_url.domain.domain == 'manage.kmail-lists.com'
and .href_url.path =~ '/subscriptions/subscribe/update'
and strings.icontains(.href_url.query_params, 'r=')
and not strings.ilike(.display_text, "*subscribe*", "*manage*")
)
attack_types:
- "Credential Phishing"
- "Spam"
tactics_and_techniques:
- "Evasion"
- "Impersonation: Brand"
- "Open redirect"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "ce5a370a-3b3b-55cb-a4c3-c05cb795b611"