
Summary
This detection rule identifies instances of potential open redirect attacks involving the domain 'tuttocauzioni.it'. An open redirect vulnerability allows an attacker to redirect users to a malicious site without their knowledge, often used in phishing attempts and malware distribution. The rule checks for inbound messages that include links pointing to 'tuttocauzioni.it', specifically looking for requests that use the redirect script '/redirect.php' with a query parameter 'url='. The detection logic requires that this parameter does not lead back to 'tuttocauzioni.it', ensuring that the redirect targets an external site that could pose a threat. Additionally, the rule excludes any communications that come from trusted domains unless they have failed DMARC authentication. This approach helps reduce false positives from legitimate sender domains while effectively spotting potentially harmful redirects, especially those used in credential phishing or malware campaigns. By focusing on sender and URL analysis, this rule aims to enhance the security posture against social engineering threats associated with open redirects.
Categories
- Web
- Cloud
- Network
- Application
Data Sources
- User Account
- Web Credential
- Network Traffic
- Application Log
Created: 2025-07-08