cR0w   2d ago

Little phishing campaign this morning. Just some scareware type stuff hosted on windows dot net. Again. Maybe take a look at your web and / or DNS logs ( if you have them ) for something like this:

^[a-z]{8,9}\.z[0-9]{1,2}\.web\.core\.windows\.net$

And here is a list of over 900~~0~~ IPs sending the messages. They're spoofing the sender so they fail on SPF and DKIM if you're enforcing those. Also, lots of residential IPs so this is meant more for hunting rather than proactive blocking. Unless you want to block them just at the mail server.

https://blog.gayint.org/intel/phishing20260406.txt

#GAYINT

Show threadscottley2d ago
@cR0w that TLD is all of Azure Storage static web apps
Show threadcR0w   
@scottley Yep. And I'd love to block them all but I can't.
Apr 6 at 7:22pmWeb
Show threadscottley2d ago
@cR0w to this point here... you could block all hosts that are not starting with storage account names your company uses... if that is the scope of risk you want to block... you will break things if your providers are using the Azure data plane naked domains and not using custom domain names.