Detection rules › Sublime MQL
Open redirect: Google Ad Services
Message contains use of the Google Ad Services open redirect, but the sender is not Google. This has been exploited in the wild.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques | Open redirect |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| sender.email |
| type |
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.root_domain == 'googleadservices.com'
and .href_url.path =~ '/pagead/aclk'
and strings.icontains(.href_url.query_params, "adurl=")
)
and sender.email.domain.root_domain != 'google.com'
Detection logic
Scope: inbound message.
Message contains use of the Google Ad Services open redirect, but the sender is not Google. This has been exploited in the wild.
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.root_domain is 'googleadservices.com'
- .href_url.path is '/pagead/aclk'
- .href_url.query_params contains 'adurl='
- sender.email.domain.root_domain is not 'google.com'
Inspects: body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.path, body.links[].href_url.query_params, sender.email.domain.root_domain, type.inbound. Sensors: strings.icontains.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.root_domain | equals | googleadservices.com |
body.links[].href_url.path | equals | /pagead/aclk |
strings.icontains | substring | adurl= |