AnonymousFox Indicators
Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.
Sublime rule (View on GitHub)
1name: "AnonymousFox Indicators"
2description: |
3 Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields.
4 This is indicative of messages sourced from an AnonymousFox compromised website.
5reference:
6 - "https://sucuri.net/guides/anonymousfox-hack-guide/"
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and any(headers.hops,
12 any(.fields,
13 regex.icontains(.name, "X-Authenticated-Sender|X-Sender") and
14 regex.icontains(.value, "(anonymous|smtp)fox-"))
15 or regex.icontains(sender.email.email, "(anonymous|smtp)fox-"))
16tags:
17 - "Suspicious headers"