Detection rules › Sublime MQL
Open redirect: Ticketmaster
Message contains use of the Ticketmaster open redirect, but the sender is not Ticketmaster. This has been exploited in the wild.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques | Open redirect |
Event coverage
Rule body MQL
type.inbound
and any(body.links,
.href_url.domain.domain == 'links.engage.ticketmaster.com'
and .href_url.path =~ '/ctt'
)
and sender.email.domain.root_domain != 'ticketmaster.com'
and headers.return_path.domain.root_domain != "ticketmaster.com"
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Message contains use of the Ticketmaster open redirect, but the sender is not Ticketmaster. This has been exploited in the wild.
- inbound message
any of
body.linkswhere all hold:- .href_url.domain.domain is 'links.engage.ticketmaster.com'
- .href_url.path is '/ctt'
- sender.email.domain.root_domain is not 'ticketmaster.com'
- headers.return_path.domain.root_domain is not 'ticketmaster.com'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.links, body.links[].href_url.domain.domain, body.links[].href_url.path, headers.auth_summary.dmarc.pass, headers.return_path.domain.root_domain, sender.email.domain.root_domain, type.inbound. Reference lists: $high_trust_sender_root_domains.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.domain | equals | links.engage.ticketmaster.com |
body.links[].href_url.path | equals | /ctt |