Technique ID | Title | Link |
T1566.002 | Phishing: Spearphishing Link | Phishing: Spearphishing Link |
This detection rule focuses on identifying phishing emails that potentially use the InterPlanetary File System (IPFS) to host malicious content. The usage of IPFS in phishing campaigns is a sophisticated technique as it can bypass conventional security measures. The rule involves checking for subsequent connections to IPFS-hosted sites, which could indicate the execution of a phishing attack utilizing this decentralized file hosting system.
The risk targeted by this detection rule is the exploitation of IPFS in phishing campaigns, a method that could lead to successful phishing attacks due to the unconventional nature of IPFS as a hosting platform. Phishing attacks using IPFS can be more difficult to detect and can pose a significant threat to organizational security.
- Name: Gavin Knapp
- Github:
- Twitter:
- LinkedIn:
- Website:
//check for phishing emails potentially using ipfs to host malicious content used in phishing campaigns.
let domains = externaldata (data:string)[h@""];
| where Timestamp > ago (30d)
| join EmailUrlInfo on NetworkMessageId
| where Url has_any (domains) and DeliveryAction !~ "Blocked"
//check for subsequent connections to the site
let domains = externaldata (data:string)
| where TimeGenerated > ago (30d)
| where RemoteUrl has_any (domains)