Create open_redirect_easycamp.yml

detection-rules/open_redirect_easycamp.yml

@@ -0,0 +1,39 @@
+name: "Open Redirect: easycamp.com"
+description: |
+  Message contains use of the easycamp.com open redirect. This has been exploited in the wild.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.root_domain == "easycamp.com"
+          and regex.icontains(.href_url.query_params, 'redirect=(?:https?|(?:\/|%2f)(?:\/|%2f))')
+          and not regex.icontains(.href_url.query_params, 'redirect=[^\&]*easycamp\.com') 
+
+  )
+  and not sender.email.domain.root_domain == "easycamp.com"
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Open redirect"
+detection_methods:
+  - "Sender analysis"
+  - "URL analysis"
+id: "f05d377d-b360-5cce-8239-6bdc70a462ef"