Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create link_userinfo_excessive_padding.yml #2299

Merged
merged 5 commits into from
Jan 15, 2025
Merged

Create link_userinfo_excessive_padding.yml #2299

merged 5 commits into from
Jan 15, 2025

Conversation

zoomequipd
Copy link
Member

@zoomequipd zoomequipd commented Jan 10, 2025
edited
Loading

Description

A generic approach to #2297

This rule identifies suspicious URLs that exploit the username component in links with 'youtube.com'. Attackers use this technique to trick users into believing the link is legitimate while redirecting to a malicious domain. The rule detects:

Links where youtube.com is used as a username (e.g., [email protected]).
and where the root domain does not match youtube.com.
Excessive URL-encoded padding (%20) that obscures the malicious domain in previews, such as in email clients or chat applications.

Associated samples

Associated hunts

@zoomequipd zoomequipd requested a review from a team as a code owner January 10, 2025 17:49
@zoomequipd
Copy link
Member Author

/update-test-rules

github-actions bot pushed a commit that referenced this pull request Jan 10, 2025
Sync from PR#2299
d6a3a81 
Create link_user_info_excessive_padding.yml by @zoomequipd
#2299
Source SHA bfbb8a5
Triggered by @zoomequipd
@zoomequipd zoomequipd changed the title Create link_user_info_excessive_padding.yml Create link_userinfo_excessive_padding.yml Jan 10, 2025
@zoomequipd zoomequipd added the review-needed Indicates that a PR is waiting for review label Jan 14, 2025
@zoomequipd
Copy link
Member Author

looks good, still active use of this technique today.

@zoomequipd zoomequipd mentioned this pull request Jan 14, 2025
Closed
@zoomequipd zoomequipd added this pull request to the merge queue Jan 15, 2025
Merged via the queue into main with commit 0d6cb0d Jan 15, 2025
3 checks passed
@zoomequipd zoomequipd deleted the zoomequipd-patch-20 branch January 15, 2025 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morriscode morriscode morriscode approved these changes

Assignees
No one assigned
Labels
in-test-rules review-needed Indicates that a PR is waiting for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zoomequipd @morriscode