heroui logo

Open redirect: JustPaste.it

Sublime Rules

View Source
Summary
The rule detects inbound messages containing JustPaste.it redirect links that forward to external destinations outside of JustPaste.it. It targets links whose domain is justpaste.it and whose path begins with /redirect/, indicating an open redirect that obscures the final destination URL. The detection further excludes redirects that point back to JustPaste.it itself (i.e., wrapped destinations on the same domain). It also eliminates false positives by skipping legitimate JustPaste.it senders (sender.email.domain.root_domain == "justpaste.it"). The rule relies on URL analysis of href_url fields within the message body and sender analysis to determine whether a message uses an open redirect to evade reputation checks. By flagging such open redirects, it aims to identify phishing or malware delivery attempts that hide the true target URL. The rule is categorized as medium severity and associates with Credential Phishing and Malware/Ransomware, employing open redirect, evasion, and free file hosting as techniques, with URL analysis and sender analysis as detection methods.
Categories
  • Network
  • Web
Data Sources
  • Network Traffic
Created: 2026-07-03