Detection rules › Sublime MQL
Open redirect: Klaviyo
Message contains use of the Klaviyo (kmail-lists.com) open redirect, but the link display text does not match known permutations. This has been exploited in the wild.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Spam |
| Tactics and techniques | Evasion, Impersonation: Brand, Open redirect, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.domain == 'manage.kmail-lists.com'
and .href_url.path =~ '/subscriptions/subscribe/update'
and strings.icontains(.href_url.query_params, 'r=')
and not strings.ilike(.display_text, "*subscribe*", "*manage*")
)
Detection logic
Scope: inbound message.
Message contains use of the Klaviyo (kmail-lists.com) open redirect, but the link display text does not match known permutations. This has been exploited in the wild.
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.domain is 'manage.kmail-lists.com'
- .href_url.path is '/subscriptions/subscribe/update'
- .href_url.query_params contains 'r='
not:
.display_text matches any of 2 patterns
*subscribe**manage*
Inspects: body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.path, body.links[].href_url.query_params, type.inbound. Sensors: strings.icontains, strings.ilike.
Indicators matched (5)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.domain | equals | manage.kmail-lists.com |
body.links[].href_url.path | equals | /subscriptions/subscribe/update |
strings.icontains | substring | r= |
strings.ilike | substring | *subscribe* |
strings.ilike | substring | *manage* |