AnonymousFox indicators

Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.

Sublime rule (View on GitHub)

 1name: "AnonymousFox indicators"
 2description: |
 3  Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields.
 4  This is indicative of messages sourced from an AnonymousFox compromised website.   
 5references:
 6  - "https://sucuri.net/guides/anonymousfox-hack-guide/"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and (
12    any(headers.hops,
13        any(.fields,
14            regex.icontains(.name, "^(X-Authenticated-Sender|X-Sender)")
15            and regex.icontains(.value, "(anonymous|smtp)fox-")
16        )
17    )
18    or regex.icontains(sender.email.email, "(anonymous|smtp)fox-")
19  )  
20attack_types:
21  - "BEC/Fraud"
22  - "Credential Phishing"
23  - "Malware/Ransomware"
24detection_methods:
25  - "Header analysis"
26  - "Sender analysis"
27id: "2506206e-b879-57fa-bcfd-95c66eb02db8"
to-top