Create link_hotel_url_redirect.yml

[JFarina5]

Description

This rule detects urls inside of messages where the display_url redirects to malicious sites with a hotel review based theme.

Associated samples

• Sample 1
• Sample 2

Associated hunts

• Hunt 1
• Hunt 2 <- Latest Hunt

[JFarina5]

Low telemetry, but results look good. Marking r4r

[IndiaAce]

The telemetry on this is awesome, and I love the idea here. I think we do need some sort of early gating. I have a few ideas you might consider trying out. The FPs I found in test rules were unable to share with the customer, but one of them 50048ac55cca8c8c558b1af119a8a5255414952225388a55a01edaf1d572a5c8 stuck out to me. It looks like they're coordinating an airbnb rental. It's a reply, so you could negate replies!

[IndiaAce]

Just to keep the review-needed queue organized I'm going to take off the review-needed label, lmk if you want to chat about that! (also hmu for what customer that canonical is if you wanted to look at it, it's not in sws)

[JFarina5]

Looks like the FP was because of a legit redirect, added some negations that help combat these types of scenarios

[JFarina5]

Spoke with @IndiaAce, took off the regex restraint to open to rule up a bit. Results look promising

[JFarina5]

Added additional sender logic, negates some FPs found in test rules, but also flags additional FNs. Hunt results looked solid.

[JFarina5]

Mode results looked good, latest commit was to negate some graymail hits, but otherwise results looked all malicious. L365D 'and not' hunt only returned the graymail hits. L90D hunt returned all malicious, likely_benign hits all seemed malicious, no graymail. Marking r4r.

[IndiaAce]

Latest results look great! Nice work on this, approved!