cR0w   1d ago

Little phishing campaign this morning. Just some scareware type stuff hosted on windows dot net. Again. Maybe take a look at your web and / or DNS logs ( if you have them ) for something like this:

^[a-z]{8,9}\.z[0-9]{1,2}\.web\.core\.windows\.net$

And here is a list of over 900~~0~~ IPs sending the messages. They're spoofing the sender so they fail on SPF and DKIM if you're enforcing those. Also, lots of residential IPs so this is meant more for hunting rather than proactive blocking. Unless you want to block them just at the mail server.

https://blog.gayint.org/intel/phishing20260406.txt

#GAYINT

Show threadscottley
@cR0w but seriously... report abuse please... that's the right path to prevent harm.
Apr 6 at 7:43pmWeb
Show threadcR0w   1d ago
@scottley Thanks for all the info. I didn't realize how different everything is in Azure, especially since I don't do much on the phishing side. They've been submitted, despite the outdated API docs. 🍻