Detection rules › Sublime MQL
Open redirect: Cartoon Network
This rule detects the use of Cartoon Network's Denmark domain as an open redirect.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Spam |
| Tactics and techniques | Open redirect, Evasion |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.sld == 'cartoonnetwork'
// it has to be www. - not hitting the www doesn't work
and .href_url.domain.subdomain == 'www'
// the path startswith a double //
and strings.starts_with(.href_url.path, '//')
// the path has to end in a trailing /
and strings.ends_with(.href_url.path, '/')
)
Detection logic
Scope: inbound message.
This rule detects the use of Cartoon Network's Denmark domain as an open redirect.
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.sld is 'cartoonnetwork'
- .href_url.domain.subdomain is 'www'
- .href_url.path starts with '//'
- .href_url.path ends with '/'
Inspects: body.links, body.links[].href_url.domain.sld, body.links[].href_url.domain.subdomain, body.links[].href_url.path, type.inbound. Sensors: strings.ends_with, strings.starts_with.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.sld | equals | cartoonnetwork |
body.links[].href_url.domain.subdomain | equals | www |
strings.starts_with | prefix | // |
strings.ends_with | suffix | / |