detection.wiki

Detection rules › Sublime MQL

Open redirect: Doubleclick.net

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Doubleclick.net link leveraging an open redirect from a new or outlier sender.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Malware/Ransomware
Tactics and techniquesOpen redirect

Event coverage

Message attribute
body
body.links (collection)
type

Rule body MQL

type.inbound
and length(body.links) < 10
and any(body.links,
        .href_url.domain.root_domain == "doubleclick.net"
        and (
          strings.icontains(.href_url.path, "/aclk")
          or strings.icontains(.href_url.path, "/pcs/click")
          or strings.icontains(.href_url.path, "/searchads/link/click")
        )
        and regex.icontains(.href_url.query_params,
                            '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
        )
)

Detection logic

Scope: inbound message.

Doubleclick.net link leveraging an open redirect from a new or outlier sender.

  1. inbound message
  2. length(body.links) < 10
  3. any of body.links where all hold:
    • .href_url.domain.root_domain is 'doubleclick.net'
    • any of:
      • .href_url.path contains '/aclk'
      • .href_url.path contains '/pcs/click'
      • .href_url.path contains '/searchads/link/click'
    • .href_url.query_params matches '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\\:|%3a))?(?:\\/|%2f)(?:\\/|%2f)'

Inspects: body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.path, body.links[].href_url.query_params, type.inbound. Sensors: regex.icontains, strings.icontains.

Indicators matched (5)

FieldMatchValue
body.links[].href_url.domain.root_domainequalsdoubleclick.net
strings.icontainssubstring/aclk
strings.icontainssubstring/pcs/click
strings.icontainssubstring/searchads/link/click
regex.icontainsregex&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)