From 4e4a776f73b2ffe6db65bd700c25c04e5d56d03d Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Thu, 9 Jan 2025 22:08:08 +0000
Subject: [PATCH] Sync from PR#2272

Create open_redirect_meta_youtube.yml  by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2272
Source SHA a3375ebbc007268fa99a9803f0130a25ca331da4
Triggered by @zoomequipd
---
 .../open_redirect_meta_youtube.yml            |  2 +-
 .../open_redirect_youtube_google.yml          | 26 -------------------
 2 files changed, 1 insertion(+), 27 deletions(-)
 delete mode 100644 detection-rules/open_redirect_youtube_google.yml

diff --git a/detection-rules/open_redirect_meta_youtube.yml b/detection-rules/open_redirect_meta_youtube.yml
index e86508c463a..e2f3ae29975 100644
--- a/detection-rules/open_redirect_meta_youtube.yml
+++ b/detection-rules/open_redirect_meta_youtube.yml
@@ -20,4 +20,4 @@ detection_methods:
   - "URL analysis"
 id: "f217fd10-48fe-553a-8e63-4da9fb3fbc64"
 testing_pr: 2272
-testing_sha: 1f46172d97c2f0a3df9da8016eaa2f71a54e1157
+testing_sha: a3375ebbc007268fa99a9803f0130a25ca331da4
diff --git a/detection-rules/open_redirect_youtube_google.yml b/detection-rules/open_redirect_youtube_google.yml
deleted file mode 100644
index 0357577170f..00000000000
--- a/detection-rules/open_redirect_youtube_google.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: "Open Redirect: YouTube --> Google Redirection Chain"
-description: |
-  Message contains use of a redirect chain which involves YouTube and Google amp. This has been exploited in the wild.
-type: "rule"
-severity: "medium"
-source: |
-  type.inbound
-  and any(body.links,
-          (
-            .href_url.domain.root_domain == "youtube.com"
-            and strings.icontains(.href_url.path, 'logout')
-            // the redirect field
-            and strings.icontains(.href_url.query_params, "continue=")
-            and regex.icontains(.href_url.query_params, '&continue=(?:https?)?(?:(?:%3a|\:)?(?:\/|%2f){2})?google\.com[^\&]*\/+amp\/+s\/+')
-          )
-  )
-attack_types:
-  - "Credential Phishing"
-tactics_and_techniques:
-  - "Open redirect"
-detection_methods:
-  - "Sender analysis"
-  - "URL analysis"
-id: "67823fac-cb03-5aea-a8ff-782e2e8c42d4"
-testing_pr: 2272
-testing_sha: 1f46172d97c2f0a3df9da8016eaa2f71a54e1157