Skip to content

Latest commit

 

History

History
48 lines (38 loc) · 2.57 KB

TI Feed - ipfs_phishing.md

File metadata and controls

48 lines (38 loc) · 2.57 KB

TTP Detection Rule: Check for Phishing Emails Using IPFS in Phishing Campaigns

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1566.002 Phishing: Spearphishing Link Phishing: Spearphishing Link

Description

This detection rule focuses on identifying phishing emails that potentially use the InterPlanetary File System (IPFS) to host malicious content. The usage of IPFS in phishing campaigns is a sophisticated technique as it can bypass conventional security measures. The rule involves checking for subsequent connections to IPFS-hosted sites, which could indicate the execution of a phishing attack utilizing this decentralized file hosting system.

Risk

The risk targeted by this detection rule is the exploitation of IPFS in phishing campaigns, a method that could lead to successful phishing attacks due to the unconventional nature of IPFS as a hosting platform. Phishing attacks using IPFS can be more difficult to detect and can pose a significant threat to organizational security.

Author

References

Defender XDR

//check for phishing emails potentially using ipfs to host malicious content used in phishing campaigns.
let domains = externaldata (data:string)[h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"];
EmailEvents
| where Timestamp > ago (30d)
| join EmailUrlInfo on NetworkMessageId
| where Url has_any (domains) and DeliveryAction !~ "Blocked"

Sentinel

//check for subsequent connections to the site
let domains = externaldata (data:string)
[h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"];
DeviceNetworkEvents
| where TimeGenerated > ago (30d)
| where RemoteUrl has_any (domains)