Adobe Phishing Kit 5c70696

Recent Detections

  • hxxps://folder-shared-file[.]voice-chatt[.]workers[.]dev
  • hxxps://folder-shared-file[.]voice-chatt[.]workers[.]dev/
  • hxxps://white-field-05e4[.]kdg6smak[.]workers[.]dev/
  • hxxp://white-field-05e4[.]kdg6smak[.]workers[.]dev
  • hxxps://preview-document[.]tortesabun[.]workers[.]dev/
  • hxxps://preview-folder[.]protect-secur[.]workers[.]dev
  • hxxp://cloud-documents[.]member-datings[.]workers[.]dev
  • hxxp://invoice-production[.]chat-verify[.]workers[.]dev
  • hxxps://preview-folder[.]people-media[.]workers[.]dev/
  • hxxps://flat-grass-5595[.]fo4ih28x[.]workers[.]dev/

IOK Rule (edit)

title: Adobe Phishing Kit 5c70696
description: |
    Adoba phishing kit which uses the same `template`
    element `id` attribute as well as having the same
    value inside the `noscript` tags.

references:
    - https://urlscan.io/result/bbdc4254-4c3b-46e8-b5a7-b86f8af3c452
    - https://urlscan.io/result/f6387380-2258-4113-8375-0195ecd1e268
    - https://urlscan.io/result/dc6f1a1d-ab62-4ac2-9844-1fb15498ce45
    - https://urlscan.io/result/4b107c8b-c9a2-406f-ad0f-f592d7e26af8


detection:

    templateElementID:
      html|contains: '5c706966-0c66-4623-bdc3-5bd23e958ca3'

    noScriptValue:
      html|contains: 'f67126f1a0cee6aeda1cbb99c2a1c01f'
   
    condition: templateElementID and noScriptValue

tags:
  - target.adobe