From 5c1c06edba5610623deef1bd37421b1f58c95a84 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 27 Dec 2024 15:59:51 +0000
Subject: [PATCH] Sync from PR#2249

Create open_redirect_xfinity.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2249
Source SHA 69a81a651ce93b0ea0e62747bf96a2a149db4244
Triggered by @zoomequipd
---
 detection-rules/open_redirect_xfinity.yml | 42 +++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 detection-rules/open_redirect_xfinity.yml

diff --git a/detection-rules/open_redirect_xfinity.yml b/detection-rules/open_redirect_xfinity.yml
new file mode 100644
index 00000000000..4ae5218f9d7
--- /dev/null
+++ b/detection-rules/open_redirect_xfinity.yml
@@ -0,0 +1,42 @@
+name: "Open Redirect: Xfinity CMP Redirection to Google AMP"
+description: "Detects when non-Xfinity senders abuse Xfinity's CMP redirection service to reach Google AMP pages. The rule specifically looks for targetURL parameters containing Google AMP paths in links from untrusted or previously malicious senders."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.domain == "cmp.cws.xfinity.com"
+          and strings.icontains(.href_url.query_params, "&targetURL=")
+          and regex.icontains(.href_url.query_params,
+                              '&targetUrl=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?google\.[^\&]*\/+amp\/+s\/+'
+          )
+  )
+  and not sender.email.domain.root_domain in ("xfinity.com", "comcast.net")
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Open redirect"
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "URL analysis"
+  - "Sender analysis"
+id: "7b9012fa-0f14-57d5-b729-cb3b84565c47"
+testing_pr: 2249
+testing_sha: 69a81a651ce93b0ea0e62747bf96a2a149db4244