• Sublime Core Feed
Medium Severity

Brand impersonation: ukr[.]net

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Sender analysis
Threat intelligence

Description

Impersonation of ukr[.]net.

Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."

References

Sublime Security
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  (
    // technique
    strings.ilike(sender.display_name, "ukr*net")
    and sender.email.domain.root_domain != "ukr.net"
  )
  or (
    // IOCs
    subject.subject == "Увага"
    and (
      sender.email.email in (
        "muthuprakash.b@tvsrubber.com",
        "rakesh.ict@msruas.ac.in",
        "omars@salecharter.net",
        "citi.in.pm@xerago.com",
        "qs@gsengint.com",
        "sec.ls@msruas.ac.in",
        "vaishnavi.kj@tvsrubber.com",
        "nshcorp@nshcorp.in",
        "purchase2@hitechelastomers.com",
        "productionbelgavi@hodekindia.com",
        "narayanababu.py.ph@msruas.ac.in",
        "roopa.tsld@msruas.ac.in",
        "in-nonciti.basupport@xerago.com",
        "info@empiink.com",
        "pooja.fa@msruas.ac.in",
        "babu.d@tvsrubber.com",
        "systeam@xerago.com",
        "dean.ds@msruas.ac.in",
      )
      or any(body.links, .href_url.domain.domain == "consumerspanel.frge.io")
    )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started