Adobe Phishing Kit 5c70696

Adobe phishing kit which uses the same template element id attribute as well as having the same value inside the noscript tags.

References

Recent Detections

hxxp://broken-rain-1a74[.]1rwvvy66[.]workers[.]dev/

urlscan.io
hxxp://purple-da6462[.]qqu4qswu[.]workers[.]dev/

urlscan.io
hxxps://confirmations[.]profiles-male[.]workers[.]dev/

urlscan.io
hxxp://shared-folder-docs[.]memwendo[.]workers[.]dev/

urlscan.io
hxxps://broken-rain-1a74[.]1rwvvy66[.]workers[.]dev/

urlscan.io
hxxp://document[.]lates-proposale[.]workers[.]dev/

urlscan.io
hxxps://login-ourtime[.]members-datings[.]workers[.]dev/

urlscan.io
hxxps://login[.]ours-project[.]workers[.]dev/

urlscan.io
hxxp://login[.]ours-project[.]workers[.]dev/

urlscan.io
hxxps://login-ourtime[.]apps-members[.]workers[.]dev/

urlscan.io

IOK Rule (edit)

title: Adobe Phishing Kit 5c70696
description: |
    Adobe phishing kit which uses the same `template`
    element `id` attribute as well as having the same
    value inside the `noscript` tags.

references:
    - https://urlscan.io/result/bbdc4254-4c3b-46e8-b5a7-b86f8af3c452
    - https://urlscan.io/result/f6387380-2258-4113-8375-0195ecd1e268
    - https://urlscan.io/result/dc6f1a1d-ab62-4ac2-9844-1fb15498ce45
    - https://urlscan.io/result/4b107c8b-c9a2-406f-ad0f-f592d7e26af8


detection:

    templateElementID:
      html|contains: '5c706966-0c66-4623-bdc3-5bd23e958ca3'

    noScriptValue:
      html|contains: 'f67126f1a0cee6aeda1cbb99c2a1c01f'
   
    condition: templateElementID and noScriptValue

tags:
  - target.adobe