
Summary
This detection rule identifies potential phishing emails that utilize open redirects through the Indeed job listing service. It focuses on emails that contain links pointing to Indeed's redirect structure ('/r?target=xxxxxx') while ensuring that these emails are not sent from the legitimate Indeed domain (indeed.com). A link is flagged if it matches the open redirect pattern found within the body of the email or in any PDF attachments. The rule takes sender context into account, including their historical communication patterns (e.g., solicited versus unsolicited emails) and any previous spam or malicious behavior. Additionally, the rule includes safeguards to exclude highly trusted domains, unless they fail DMARC authentication, thereby reducing the chances of false positives. Overall, this rule helps in protecting users from credential phishing and malware attacks that may be using Indeed's open redirect mechanism as a vector to mislead users.
Categories
- Web
- Endpoint
- Infrastructure
Data Sources
- User Account
- Network Traffic
- Application Log
Created: 2024-09-11