From 7add049b54ba22499d830b65452095689dbe0ee4 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 24 Jan 2025 02:58:00 +0000
Subject: [PATCH] Sync from PR#2330

Create open_redirect_designsori.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2330
Source SHA 93d22378f46bbdb8c133f296a6f5bef3bd8018cf
Triggered by @zoomequipd
---
 detection-rules/open_redirect_designsori.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/open_redirect_designsori.yml b/detection-rules/open_redirect_designsori.yml
index 50907877315..1ba425243c6 100644
--- a/detection-rules/open_redirect_designsori.yml
+++ b/detection-rules/open_redirect_designsori.yml
@@ -3,7 +3,7 @@ description: |
   Message contains use of the designsori.com open redirect. This has been exploited in the wild.
 type: "rule"
 severity: "medium"
-source: "type.inbound\nand any(body.links,\n        .href_url.domain.root_domain == \"designsori.com\"\n        and strings.icontains(.href_url.path, 'redirect.php')\n        and regex.icontains(.href_url.query_params, 'url=(?:https?|(?:\\/|%2f)(?:\\/|%2f))')\n        and not regex.icontains(.href_url.query_params, 'url=[^\\&]*designsori\\.com') \n\n)\nand not sender.email.domain.root_domain == \"designsori.com\"\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
+source: "type.inbound\nand any(body.links,\n        .href_url.domain.root_domain == \"designsori.com\"\n        and strings.icontains(.href_url.path, 'redirect.php')\n        and regex.icontains(.href_url.query_params, 'url=(?:https?(?:%3a|:))?(?:%2f|\\/){2}')\n        and not regex.icontains(.href_url.query_params, 'url=(?:https?(?:%3a|:))?(?:%2f|\\/){2}[^&]*designsori\\.com(?:\\&|\\/|$)') \n\n)\nand not sender.email.domain.root_domain == \"designsori.com\"\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
 attack_types:
   - "Credential Phishing"
   - "Malware/Ransomware"
@@ -14,4 +14,4 @@ detection_methods:
   - "URL analysis"
 id: "4c38ff47-4709-5ab9-963c-eabc0732800e"
 testing_pr: 2330
-testing_sha: f9ca9e8e937c5ecff6cfece598f45b05de853841
+testing_sha: 93d22378f46bbdb8c133f296a6f5bef3bd8018cf