AnonymousFox Indicators

Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.

Sublime rule (View on GitHub)

 1name: "AnonymousFox Indicators"
 2description: |
 3  Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields.
 4  This is indicative of messages sourced from an AnonymousFox compromised website.   
 5references:
 6  - "https://sucuri.net/guides/anonymousfox-hack-guide/"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(headers.hops,
12          any(.fields,
13              regex.icontains(.name, "X-Authenticated-Sender|X-Sender")
14              and regex.icontains(.value, "(anonymous|smtp)fox-")
15          )
16          or regex.icontains(sender.email.email, "(anonymous|smtp)fox-")
17  )  
18attack_types:
19  - "BEC/Fraud"
20  - "Credential Phishing"
21  - "Malware/Ransomware"
22detection_methods:
23  - "Header analysis"
24  - "Sender analysis"
25id: "2506206e-b879-57fa-bcfd-95c66eb02db8"
to-top