Hi all — I’ve been tracking a pattern where threat actors deliver malicious payloads or redirect logic through web video players (HLS / M3U8). It’s not classic email phishing, but a delivery vector that can be abused on compromised pages or via malicious CDN responses. I wanted to share observations and ask for best practices:
Observed indicators
Player requests returning unexpected query parameters or extra #EXT-X tags that include redirecting URLs.
Mixed content or inline scripts injected around the player iframe leading to third-party redirect chains.
Abnormal Content-Type or Content-Disposition headers on playlist requests.
Sudden changes in CORS behavior, or playlist segments served from unknown hostnames.
What I’ve tried
Logging all playlist and segment requests at the reverse proxy level and comparing headers.
Using a local HLS test harness to replay suspicious manifests and inspect segment payloads. (I ran a few controlled tests on a demo sandbox to validate header anomalies and redirect behavior without touching production assets.)
Questions / mitigation ideas I’m exploring
Is it common to see threat actors inject redirect logic into the playlist itself, or is the injection more often in the page wrapper around the player?
Practical ways to detect this at scale: should we focus on abnormal header patterns, extra query strings, or changes in hostnames for segments?
Recommendations for WAF rules / CDN edge rules that effectively catch playlist tampering (example rules people use for EXTINF/playlist integrity checks would be very helpful).
Tools or scripts others use for automated replaying + scanning of manifests for hidden redirects or embedded payloads.
Happy to share anonymized examples (headers/manifests) if people want to collaborate. Would appreciate any real-world tactics your teams use to detect/mitigate this attack surface — thanks!