AnonymousFox Indicators

Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.

Sublime rule (View on GitHub)

 1name: "AnonymousFox Indicators"
 2description: |
 3  Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields.
 4  This is indicative of messages sourced from an AnonymousFox compromised website.   
 5reference:
 6  - "https://sucuri.net/guides/anonymousfox-hack-guide/"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(headers.hops, 
12      any(.fields, 
13          regex.icontains(.name, "X-Authenticated-Sender|X-Sender") and 
14          regex.icontains(.value, "(anonymous|smtp)fox-"))
15      or regex.icontains(sender.email.email, "(anonymous|smtp)fox-"))  
16tags:
17  - "Suspicious headers"

Related rules

to-top