heroui logo

Open redirect: typedrawers.com

Sublime Rules

View Source
Summary
This detection rule targets messages containing links or QR codes that direct users to the URL `typedrawers.com/home/leaving`, specifically when these messages originate from non-trusted domains or when authenticated sources fail DMARC checks. The rule focuses on analyzing the body of the message and any attachments for potential malicious content, particularly looking for the presence of the `target=` query parameter in URLs and QR codes. It includes specific conditions to filter out false positives by requiring either unsolicited contact from the sender or a history of malicious behavior without false positives. Additionally, trusted sender domains are generally excluded from this detection unless they fail DMARC authentication, adding further precision to the rule. Overall, this rule is designed to provide robust detection of phishing attempts that leverage open redirect tactics and QR codes for social engineering.
Categories
  • Web
  • Endpoint
  • Cloud
Data Sources
  • User Account
  • Network Traffic
  • Application Log
  • Process
  • File
Created: 2024-11-26