cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Referrer abuse signal illustration
Annotator ref

Referrer abuse

Referrer patterns look manipulated, irrelevant, or inconsistent with normal navigation.

Attack family · Redirect abuse, traffic laundering, and origin spoofing Phase · Delivery and misdirection Risk · Medium
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Redirect and referrer parameter abuse
  • External referers on auth-like endpoints
  • Open-redirect and base64-wrapped redirect chains
Logic
  • The annotator looks for manipulated referrer paths and redirect-style parameters.
  • It emits multiple small findings when one request carries several redirect hints.
  • Its value is explaining why referrer analytics or auth flows look tampered with.
Attack Family
Redirect abuse, traffic laundering, and origin spoofing
Phase · Delivery and misdirection Risk · Medium
Referrer abuse tells you when an attacker is trying to fabricate navigation context, bounce through trusted surfaces, or make a malicious flow look organic.
Damage Patterns
  • Open-redirect style flows can be used for phishing, session abuse, and laundering traffic through legitimate domains.
  • Fake referrers also poison analytics and make fraud or abuse campaigns look more legitimate than they are.
Incident Lore
  • Some of the most damaging redirect issues were not memory-corruption bugs but trust bugs: users and systems followed links they believed came from a trusted path.
  • Referrer manipulation routinely appears in spam, phishing, affiliate abuse, and login-flow tampering.
How To Read It
Use this to separate natural navigation from traffic that is trying to spoof origin or bounce through your login surface.
Defender Takeaway
Use this to separate real user journeys from adversarial route-shaping. The value is in the story of misdirection.
Catalog Definition
Flags suspicious referrer behavior such as clearly fabricated referrers, referrers that do not match realistic navigation paths, or referrers used in repetitive spam-like ways. This annotator helps explain why referrer analytics may be untrustworthy and can also indicate low-effort automation or probing.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
941
Latest sample
Apr 12, 2026 • 21:06
Top rules
ref:external_referer_to_auth · 8 ref:open_redirect_param · 2
Top requester orgs
Ucloud Information Technology (hk) Limited · 3 Oracle Cloud Infrastructure (us-phoenix-1) · 2 Huawei Cloud · 2
Severity mix
6 · 8 9 · 2
Method mix
GET · 9 POST · 1
GET 200 6
Apr 12, 2026 • 21:06
/godai/login/?next=%2Fgodai%2Faccess%2F%3Fbrowse_scope%3Dcity%26country%3DUnited%2BStates%26region%3DVirginia%26city%3D…
External referer observed on an auth-like endpoint
IP 43.166.244.192 Subnet 43.166.244.0/24 Country United States Rule ref:external_referer_to_auth
GET 200 6
Apr 12, 2026 • 09:28
/admin/login/?next=/admin/
External referer observed on an auth-like endpoint
IP 129.153.94.60 Subnet 129.153.94.0/24 Org Oracle Cloud Infrastructure (us-phoenix-1) Country United States Rule ref:external_referer_to_auth
GET 200 6
Apr 12, 2026 • 09:28
/admin/login/?next=/admin/
External referer observed on an auth-like endpoint
IP 129.153.94.60 Subnet 129.153.94.0/24 Org Oracle Cloud Infrastructure (us-phoenix-1) Country United States Rule ref:external_referer_to_auth
GET 404 6
Apr 12, 2026 • 09:25
/auth/env/.env
External referer observed on an auth-like endpoint
IP 114.119.154.229 Subnet 114.119.154.0/24 Org Huawei Cloud Country Singapore Rule ref:external_referer_to_auth
GET 301 6
Apr 12, 2026 • 09:25
/auth/env/.env
External referer observed on an auth-like endpoint
IP 114.119.154.229 Subnet 114.119.154.0/24 Org Huawei Cloud Country Singapore Rule ref:external_referer_to_auth
GET 200 9
Apr 12, 2026 • 07:30
/report_ipaddress/drill-access-required/?ip=159.223.103.226&next=https%3A%2F%2Fattacker.example.com
Open-redirect style parameter points to an external URL
IP 134.147.21.192 Subnet 134.147.21.0/24 Org RUB Inet Country Germany Rule ref:open_redirect_param
GET 200 9
Apr 12, 2026 • 07:04
/report_ipaddress/drill-access-required/?ip=35.231.115.116&next=https%3A%2F%2Fattacker.example.com
Open-redirect style parameter points to an external URL
IP 134.147.21.192 Subnet 134.147.21.0/24 Org RUB Inet Country Germany Rule ref:open_redirect_param
GET 200 6
Apr 11, 2026 • 08:05
/admin/login/?next=/admin/webadmin.php%3Fmod%3Ddo%26act%3Dlogin
External referer observed on an auth-like endpoint
IP 165.154.5.115 Subnet 165.154.5.0/24 Org Ucloud Information Technology (hk) Limited Country Hong Kong Rule ref:external_referer_to_auth
GET 404 6
Apr 11, 2026 • 08:05
/api/account/price_rate
External referer observed on an auth-like endpoint
IP 165.154.5.115 Subnet 165.154.5.0/24 Org Ucloud Information Technology (hk) Limited Country Hong Kong Rule ref:external_referer_to_auth
POST 404 6
Apr 11, 2026 • 08:05
/api/v1/seller/login
External referer observed on an auth-like endpoint
IP 165.154.5.115 Subnet 165.154.5.0/24 Org Ucloud Information Technology (hk) Limited Country Hong Kong Rule ref:external_referer_to_auth