Sync from PR#2249

Create open_redirect_xfinity.yml by @zoomequipd
#2249
Source SHA 69a81a6
Triggered by @zoomequipd

detection-rules/open_redirect_xfinity.yml

@@ -0,0 +1,42 @@
+name: "Open Redirect: Xfinity CMP Redirection to Google AMP"
+description: "Detects when non-Xfinity senders abuse Xfinity's CMP redirection service to reach Google AMP pages. The rule specifically looks for targetURL parameters containing Google AMP paths in links from untrusted or previously malicious senders."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.domain == "cmp.cws.xfinity.com"
+          and strings.icontains(.href_url.query_params, "&targetURL=")
+          and regex.icontains(.href_url.query_params,
+                              '&targetUrl=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?google\.[^\&]*\/+amp\/+s\/+'
+          )
+  )
+  and not sender.email.domain.root_domain in ("xfinity.com", "comcast.net")
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Open redirect"
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "URL analysis"
+  - "Sender analysis"
+id: "7b9012fa-0f14-57d5-b729-cb3b84565c47"
+testing_pr: 2249
+testing_sha: 69a81a651ce93b0ea0e62747bf96a2a149db4244