Adobe Phishing Kit 5c70696

Recent Detections

  • hxxp://confirm-messges[.]address-match[.]workers[.]dev/
  • hxxp://curly-river-c03f[.]zenitehangbing[.]workers[.]dev/
  • hxxps://shared-private[.]files-auuth[.]workers[.]dev/
  • hxxps://document[.]lates-proposale[.]workers[.]dev/
  • hxxps://document-product[.]rototetiined[.]workers[.]dev/
  • hxxps://cloud-shared-folder[.]preg-remit[.]workers[.]dev/
  • hxxps://confirmation[.]dashboard-secures[.]workers[.]dev/
  • hxxps://confirm-messeges[.]inbox-storaage[.]workers[.]dev/
  • hxxps://adobe-document[.]auth-meta[.]workers[.]dev/
  • hxxps://file[.]sharedd-project-document[.]workers[.]dev/

IOK Rule (edit)

title: Adobe Phishing Kit 5c70696
description: |
    Adoba phishing kit which uses the same `template`
    element `id` attribute as well as having the same
    value inside the `noscript` tags.

references:
    - https://urlscan.io/result/bbdc4254-4c3b-46e8-b5a7-b86f8af3c452
    - https://urlscan.io/result/f6387380-2258-4113-8375-0195ecd1e268
    - https://urlscan.io/result/dc6f1a1d-ab62-4ac2-9844-1fb15498ce45
    - https://urlscan.io/result/4b107c8b-c9a2-406f-ad0f-f592d7e26af8


detection:

    templateElementID:
      html|contains: '5c706966-0c66-4623-bdc3-5bd23e958ca3'

    noScriptValue:
      html|contains: 'f67126f1a0cee6aeda1cbb99c2a1c01f'
   
    condition: templateElementID and noScriptValue

tags:
  - target.adobe