Detection rules › Sublime MQL
Open redirect: Meta --> YouTube Redirection Chain
Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Open redirect |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| type |
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.domain == "l.work.meta.com"
// the redirect field
and strings.icontains(.href_url.query_params, "u=")
and regex.icontains(.href_url.query_params,
'u=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?youtube\.com[^\&]*\/+logout.*continue='
)
)
Detection logic
Scope: inbound message.
Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.domain is 'l.work.meta.com'
- .href_url.query_params contains 'u='
- .href_url.query_params matches 'u=(?:https?)?(?:(?:%3a|\\:)?(?:\\/|%2f){2})?youtube\\.com[^\\&]*\\/+logout.*continue='
Inspects: body.links, body.links[].href_url.domain.domain, body.links[].href_url.query_params, type.inbound. Sensors: regex.icontains, strings.icontains.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.domain | equals | l.work.meta.com |
strings.icontains | substring | u= |
regex.icontains | regex | u=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?youtube\.com[^\&]*\/+logout.*continue= |