
Summary
Detects inbound messages that abuse Diesel.az open redirect functionality at /az/redirect. The rule scans message body links for a URL whose domain root is diesel.az and whose path begins with /az/redirect, with a non-empty url query parameter. It then resolves the target of the url parameter and requires that the final destination reside outside diesel.az (root_domain != diesel.az). To reduce false positives from legitimate internal usage, the rule excludes messages where the sender domain is diesel.az and DMARC validation passes. Attack type is Credential Phishing via Open Redirect with potential Brand impersonation; detection relies on URL analysis to inspect redirect targets and sender analysis to assess provenance. This helps surface external destinations that could harvest credentials by impersonating the brand while leveraging an internal redirect flow.
Categories
- Web
Data Sources
- Network Traffic
- Application Log
- Web Credential
Created: 2026-07-15