AnonymousFox indicators
Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.
Sublime rule (View on GitHub)
1name: "AnonymousFox indicators"
2description: |
3 Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields.
4 This is indicative of messages sourced from an AnonymousFox compromised website.
5references:
6 - "https://sucuri.net/guides/anonymousfox-hack-guide/"
7type: "rule"
8severity: "high"
9source: |
10 type.inbound
11 and (
12 any(headers.hops,
13 any(.fields,
14 regex.icontains(.name, "^(X-Authenticated-Sender|X-Sender)")
15 and regex.icontains(.value, "(anonymous|smtp)fox-")
16 )
17 )
18 or regex.icontains(sender.email.email, "(anonymous|smtp)fox-")
19 )
20attack_types:
21 - "BEC/Fraud"
22 - "Credential Phishing"
23 - "Malware/Ransomware"
24detection_methods:
25 - "Header analysis"
26 - "Sender analysis"
27id: "2506206e-b879-57fa-bcfd-95c66eb02db8"