-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPhishing Email IOCs
254 lines (194 loc) · 10.9 KB
/
Phishing Email IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
IOCs from Phishing emails reported by my users that should be blocked on your email server and endpoints
"Google Drive" Phish
Phishing Domain: https://avbc.me/VVR9BufO (Blocked by Defender SmartScreen)
Resolved IP: 191.6.218.52 (Cyberweb Networks Brazil)
Sending Domain: lineaccountaccess.helpacccontac.us via [email protected]
"Password Reset" Phish
Phishing Domain: trailblazingtrans.com (Blocked by Defender SmartScreen)
Resolved IP: 162.241.120.242 (NetworkSolutions US)
Sending Domain: dsgo.org
Phishing Domain: dreamachronicles.co.zw (server DoS)
Resolved IP: 104.21.46.195 (Cloudflare)
Sending Domain: ikyam.com
Phishing Domain: http://login.minmetal.co.uk/ (connection refused)
Resolved IP: 172.187.218.164 (Azure UK)
Sending Domain: sdsdental.co.uk
Phishing Domain: r.srvtrck.com (Blocked by Defender SmartScreen)
Resolved IP: 104.18.206.219 (Cloudflare)
Sending Domain: berksyouthchorus.org
Phishing Domain: jocopar.com.br
Resolved IP: 162.214.175.250 (US)
Sending Domain: csibpo.com
Phishing Domain: berrantesbjsboiadeiro.com.br
Resolved IP: 31.170.163.201 (US)
Sending Domain: mpluscreate.com
Phishing Domain: apiservices.krxd.net
Resolved IP: 151.101.194.133 (US Fastly = shitty VPN service that gets hacked all the time lol)
Sending Domain: congregationhabonim.org
Phishing Domain: o513.ru
Resolved IP: 104.21.55.116 (Cloudflare US)
Sending Domain: bigpond.net.au
Phishing Domain: 364.069aw.com
Resolved IP: 103.153.183.192 (US Server, owned by SnTHostings India)
Sending Domain: keystonefs.com
Phishing Domain: https://gem.godaddy.com/signups/activate/MS0tbVdoMWpGVGlLVmc5SkROTFExUHRkeDhzTjFrNEk4V1lZUmM1bkFPRjA1d3JQWWVrYUlUY3Bac2s2NUJqSm0vaG1hSHl0UlVZQXBvdy0tUVdtWkJFWllMMWx5Q2xvZy0ta2xjNER0TUJvUWM1YWovMlRVZmY5dz09?signup=6867956#cGF1bEBoZWFyLmNvbQ==
Resolved IP: 198.71.248.151 (GoDaddy US)
Sender: [email protected]
Phishing Domain: http://97f1ac.exippureshop.com/#YW5hLnRhbmdhcmlAaGVhci5jb20=
Rssolved IP: does not resolve
Sender: [email protected]
Phishing Domain: blog.stranebl.ru (loads generic Microsoft-ish login page prefilled with the target's email address)
Resoved IP: 172.67.175.151 (Cloudflare US)
Sending Domain: s-o-l.co.jp
"Microsoft Teams File" Phish
Phishing Domain: vitalityss.co (cypher mismatch error)
Resolved IP: 45.153.243.131 (Germany)
Sending Domain: stonegatecommunities.com
Phishing Domain: https://www.getdrip.com/links/3041647/536268417?__s=xxxxxxx&utm_source=drip&utm_medium=email&utm_campaign=Lil+durk+It (page no longer exists)
Resolved IP: 54.172.232.225 (Amazon US)
Sending Domain: itisdalmine.edu.it
"Storage is Full" Phish
Phishing Domain: myalumni.mcgill.ca (target page deleted)
Resolved IP: 104.17.58.157 (valid McGill Alumni page)
Sending Domain: [email protected]
Phishing Domain: Hear.storage.OFFICE.COM
Resolved IP: does not resolve
Sending Domain: usssa.com
"Messages on Hold" Phish
Phishing Domain: tzmk.uz
Resolved IP: 62.209.128.119 (Uzbekistan)
Sending Domain: Spoofed company address. Source IP 150.242.140.13 (India)
Phishing Domain: masterpsascomplete.com
Resolved IP: 104.21.63.126 (Cloudflare)
Sending Domain: linkasink.com
Phishing Domain: https://qr.link/XnaUCv (host shows "QR code deleted")
Resolved IP: 104.21.74.230
Sending Domain: presqueisleharbor.org
Phishing Domain: http://blaccuk.franklinareahomes.com/#ZnJhbmsubWFydGVyQGF1ZGliZW5lLmRl (parked domain)
Resolved IP: 199.59.243.225 (Amazon US)
Sending Domain: baylinkusa.com
"SharePoint Documents" Phish
Phishing Domain: links.marketing.audicrm.co.uk (access denied message)
Resolved IP: 13.224.222.71 (US Amazon CloudFront)
Sending Domain: conectandolocal.net
Phishing Domain: autoconnect-employer.info (came from a LinkedIn redirect URL hxxps://linkedin.com/slink?code=grFXbCmW#YW5hLnRhbmdhcmlAaGVhci5jb20= that resolved to this domain. Blocked by Defender SmartScreen.)
Resolved IP: 104.21.73.211
Sending Domain: kascoeng.com
Phishing Domain: cmchotles.com (Defender SmartScreen blocks)
Resolved IP: 172.67.195.200 (US Cloudflare)
Sending Domain: iotaphitheta.org
Phishing Domain: n6uac3dj677jcr5mthvv.v4a6kmj.ru
Resolved IP: 172.67.209.234 (Cloudflare US)
Sending Domain: tuckersblackangusranch.com
Phishing Domain: i16gstu05q4724snh2aj.9hiljlr.ru
Resolved IP: does not resolve
Sending Domain: jako.biz
Phishing Domain: q6o2u7qdab8l1192sg5m.wmn8esq.ru
Resolved IP: does not resolve
Sending Domain: eplancanada.com
Phishing Domain: https://rb.gy/kw02j?rb.routing.mode=proxy&rb.routing.signature=336673#YW5nZWxhLmNvZWxob0BoZWFyLmNvbQ==
Resolved IP: 34.194.223.150 (Amazon US)
Sending Domain: ataselmuhendislik.com.tr
"Xerox Fax" Phish
Phishing Domain: nms6tcrb0o.loughly.tech
Resolved IP: 199.192.25.226 (US Namecheap)
Sending Domain: brightwellaquatics.com
Phishing Domain: dqy7hda9zginrcl9ljl0.l7gn0ak.ru
Resolved IP: 104.21.71.42 (Cloudflare RU)
Sending Domain: coursenetworking.com
"Daily Quarantine Report" Phish
Phishing Domain: mainrotyry.top
Resolved IP: 172.67.220.85 (US Cloudflare)
Sending Domain: boisestate.edu
"Secure Messaging" Phish
Phishing Domain: https://shaadiweds.com/vendor/EhEzkQwh/2gvu1rhk/YWxleGFuZHJhLmthdHRoYWdlbkBoZWFyLmNvbQ==
Resolved IP: 111.118.215.189 (PDR IN)
Sending Domain: nashvilledental.com
"Security Authentication" Phish
These are new phishing attacks that send a QR code (Quishing, apparently) to scan to take you to a phishing site. I collected this data by scanning the QR code and detonating the URL in my sandbox. Most use multiple re-directs.
Phishing Domain 1: 483-dfxjsf2.one (first hop, warning presented by SmartScreen)
Phishing Domain 2: fmasoewqrcde32q09idtg.reoirewoqrcde.top (took you to a really bad captcha spoof, which then presented a Microsoft login screen for username)
Phishing Domain 3: l1ve.reoirewoqrcde.top (requested password - shows you an account blocked window, prompting you to reset your password)
Phishing Domain 4: account.reoirewoqrcde.top (which takes you through account recovery. It then prompts you for a bogus security question (if you select that option): "Mother's maiden name"; or if you go the email verification route it will ask you for the last 4 digits of your phone number because it is "splitting" the token values between your email and phone. Doesn't matter what you enter, it always comes back as "That didn't work" or "Service unavilable, try again later". They really want your shit)
Resolved IP: 111.90.145.243 (MY) & 79.110.62.139 (NL - last 3 domains resolve to this IP)
Sending Domain: iwave.com
Phishing Domain: naijaflip.com.ng
Resolved IP: does not resolve
Sending Domain: correosprepago.es
Phishing Domain: https://www.baidu.com/link?url=ou4XHApstHkj9DoANHyTZRHTQge3MuRe4WD6RoRNwOt0Ywy0bCjt0tqv7zwMjhUR#YW5hLnRhbmdhcmlAaGVhci5jb20= (will not load, I have a hard block on China)
Resolved IP: 104.193.88.77
Sending Domains: ertpl.com; promus.us
Phishing Domain: dxbrzwvwdgv4ddj3zxr3da.stkw.ru
Resolved IP: 141.95.99.203 (OVH SAS France); 107.161.185.98 (HostDime.com US)
Sending Domain: mandellbrown.com
Phishing Domain: eu-plan.us-iad-1.linodeobjects.com
Resolved IP: 139.144.192.174 (Akamai US)
Sending Domain: dawnwilsonrealty.com
Phishing Domain: e9d02e.fxxplrs.nl
Resolved IP: does not resolve
Sending Domain: [email protected]; eilisys.com
Phishing Domain: https://www.baidu.com/link?url=JXSliW8SPFSUrh4_3nQhQ4qohyjI6zcUPzS2vPVfL9W#YWxpbmEuYXJsb3R0QGF1ZGliZW5lLmRl
Resolved IP: 104.193.88.123 (CN)
Sending Domain: sky.plala.or.jp
Phishing Domain: a6sylro1kmn8qmx4s19d.3me1oun.ru
Resolved IP: does not resolve
Sending Domain: primecorescapital.com
Phishing Domain: s4t5u6v7w8x9.pc3w8o7.ru
Resolved IP: 172.67.181.213 (Cloudflare US)
Sending Domain: limos4.com
Phishing Domain: https://gem.godaddy.com/signups/activate/MS0tRDBqdUZmWHdQQy9DdEhMdG1sVXNvUmJlaWtlREdmbzJZNWlCSjRlMjVKOFI4c3hrYWQyM0E4RW8vRWc4MkVxR0I0ck91NEVBVnlDM1BXNlJDZz09LS1JR1BGYzh4ZUE2clhZbDBnLS0rR1crYUMzUzgwWFpRai9kdHZ2NzVRPT0=?signup=6917905#a2lsZXkua2FwbGFuQGhlYXIuY29t
Resolved IP: 198.71.248.151
Sending Domain: lime.plala.or.jp
Phishing Domain: t6zlleg09h1z7lg5u8zj.kn61rtt.ru
Resolved IP: does not resolve
Sending Domain: demaniophotography.com
Phishing Domain: minimalistbeliever.com
Resolved IP: 111.90.148.115 (MY)
Sending Domain: gyges.org; nationalcreditsystems.com; yellowbarnwinery.com
Phishing Domain: https://gem.godaddy.com/signups/activate/MS0tS0RtQysrc05SOE1NdWhvaGZnSkIzYWV1WEJ2YkprMjFHLzJjUWhPNkZ0VkhGa1NiT0I5UFlGUFdrdmtXcjNJa3UyTFdDSUlQUVJZPS0tbGpJcUJDRmEvZDlTeXV2US0tem43eWJnYVRGQXc0M204azcxMTdOQT09?signup=7122322#[email protected]
Resolved IP: 198.71.248.151 (GoDaddy US)
Sending Domain: aiscjapan.co.jp
Phishing Domain: encryptedsharedfiles2faauthentication.com
Resolved IP: does not resolve
Sending Domain: ollopk.com
Phishing Domain: bafkreiais4dunagcgilxllob4kqwnh3wzk5rp5ab56ydlamnysg2vrx2ya.ipfs.dweb.link (already taken down by hostiing company); dweb.link/ipfs/QmZxPhiyc4yrRBa9MEqPqmPAadGcUdTLbTFywxtXCmRucw (taken down by host)
Resolved IP: 209.94.90.1 (Protocol Labs US)
Sending Domain: yoshikei.gr.jp; midori.gmobb.jp
Phishing Domain: lightbrightmart.com
Resolved IP: 100.99.90.110 (Shinjiru Technology Sdn Bhd MY)
Sending Domain: 1031.org
Phishing Domain: https://rb.gy/e1jzy?rb.routing.mode=proxy&rb.routing.signature=596792#a29kZXkuY3Jvc3NldHRAaGVhci5jb20=
Resolved IP: 34.194.223.150 (Amazon US)
Sending Domain: hyprov.com
Phishing Domain: e9d02e.6x669ripr.ru
Resloved IP: 104.21.25.86 (Cloudflare)
Sending Domain: essexcommunityhistoricalsociety.org
Phishing Domain: fdrmetal.com (my IDS blocked it and Cisco Umbrella notes it as blocked as a phishing/malware site)
Resolved IP: does not resolve
Sending Domain: amirault.ca
Phishing Domain: pinjamanonline.org (my IDS blocked it and Cisco Umbrella notes it as blocked as phishing/malware site)
Resolved IP: does not resolve
Sending Domain: hexaquestglobal.com
Phishing Domain: microsoftportal.us-east-1.linodeobjects.com
Resolved IP: 177.255.231.96 (Akamai US)
Sending Domain: platinumcopiers.com
Phishing Domain: securesignaturesinc.com
Resolved IP: 213.165.239.168 (InMotion Hosting US)
Sending Domain: southsidestores.com
Phishing Domain: yfgpbsxz.dvocacyc.ru (presents a fake Microsoft login page)
Resolved IP: 172.67.200.235 (Cloudflare US)
Sending Domain: p212121.com
Phishing Domain: https://rb.gy/vf5qx?rb.routing.mode=proxy&rb.routing.signature=41811#YWxleGFuZHJhLmthdHRoYWdlbkBoZWFyLmNvbQ==
Resolved IP: 3.216.119.162 (Amazon US)
Sending Domain: kratons.co
Phishing Domain: https://ff8hgqxgu9p.eapparel.net/ (presented a legit O365 login page)
Resolved IP: 18.170.36.240 (Amazon UK)
Sending Domain: hexaquestglobal.com
Phishing DOmain: https://teklz9bq4r5ah6s.swnbdgfgzy.ru/
Resolved IP: 104.21.76.226 (Cloudflare US)
Sending Domain: mediabarker.com
"Microsoft Authenticator" Phish
These are specific quishing attacks mascarading as a "new authentication" for a targeted user. May include company branding.
Phishing Domain: https://pub-f02fa7701f9d4e13b153923f51b905e7.r2.dev/New-0987654323456789087654345678-987654323456789098765432345678909876543345678.html?email=[redacted] (blocked by Defender SmartScreen)
Resolved IP: 104.18.3.35 (Cloudflare)
Sending Domaine: cjcharles.com