hxxp://**Assign Priority and Path** ### Medium Priority #### What was Observed *** THeCOnsole has alerted on `a potentially malicious URL click having been detected`, by user context(s) `dtrinh@global[.]bio-rad[.]com`, `sozment@Global[.]Bio-Rad[.]com` and `usher5j9mfb3[.]global[.]bio-rad[.]com`[.] * URL[:] `hxxps://shamdc[.]com/` * [URLscan](hxxps://urlscan[.]io/result/6023fe33-36bf-4a52-be04-360958d26514/) has no classification at the time of escalation, Google Safe Browsing classification[:] `Malicious`[.] * [VirusTotal](hxxps://www[.]virustotal[.]com/gui/url/52e984f7b65686b729b64041f82c6277c4b73c1055fd98380de42d8550f22d33) reports clean[.] * [AlienVault](hxxps://otx[.]alienvault[.]com/indicator/url/hxxps://shamdc[.]com/) reports `2` pulses[.] * Even though the sites themselves report clean, they could still host potentially malicious code the parent company is not responsible for[.] * IP Address[:] `Imput Here` * Sender[:] `trosenblatt@smpte[.]org` * Email sender domain[:] `smpte[.]org` * [URLscan](hxxps://urlscan[.]io/result/5b7c00dd-4da2-44d4-98e5-52b06b8c3c8a/) no classification[.] * Subject[:] (No Subject) * IP Address[:] `40[.]107[.]93[.]57` | [AbuseIPDB](hxxps://www[.]abuseipdb[.]com/check/40[.]107[.]93[.]57) reports IPs Confidence of Abuse at `12%` * DKIM[:] `Pass` * DMARC[:] `Pass` * SPF[:] `Pass` * Original Delivery Location[:] `Inbox` * Delivery Action[:] `Delivered` *** #### What is the Risk Adversaries may use [Phishing](hxxps://attack[.]mitre[.]org/techniques/T1566/) websites to gain access to victim systems[.] These websites may contain one or more of the following[:] malicious code, hyperlinks, or executable binaries[.] Attackers use these sites to attempt to gain a foothold into the recipient's organization, either by tricking the recipient into imputing credentials, installing malicious binaries on their computer, or running malicious code from memory[.] ??? `ProofPoint` does a preliminary safety check on any URL received via e-mail as an added security measure against phishing[.] When URLs are not rewritten, this check has not happened for the URL link in question[.] *** #### What is Recommended * We Recommend verifying that the user did not enter credentials as a result of this activity[.] If so, their password should be reset, and all active sessions should be revoked[.] * Examine the endpoint to ensure no malicious files were downloaded[.] * Additionally, we recommend blocking connections to the domain **`The Domain`**

Sharing

Copy URL Twitter E-mail

General

Target

http://**Assign Priority and Path** ### Medium Priority #### What was Observed *** THeCOnsole has alerted on `a potentially malicious URL click having been detected`, by user context(s) `[email protected]`, `[email protected]` and `usher5j9mfb3.global.bio-rad.com`. * URL: `https://shamdc.com/` * [URLscan](https://urlscan.io/result/6023fe33-36bf-4a52-be04-360958d26514/) has no classification at the time of escalation, Google Safe Browsing classification: `Malicious`. * [VirusTotal](https://www.virustotal.com/gui/url/52e984f7b65686b729b64041f82c6277c4b73c1055fd98380de42d8550f22d33) reports clean. * [AlienVault](https://otx.alienvault.com/indicator/url/https://shamdc.com/) reports `2` pulses. * Even though the sites themselves report clean, they could still host potentially malicious code the parent company is not responsible for. * IP Address: `Imput Here` * Sender: `[email protected]` * Email sender domain: `smpte.org` * [URLscan](https://urlscan.io/result/5b7c00dd-4da2-44d4-98e5-52b06b8c3c8a/) no classification. * Subject: (No Subject) * IP Address: `40.107.93.57` | [AbuseIPDB](https://www.abuseipdb.com/check/40.107.93.57) reports IPs Confidence of Abuse at `12%` * DKIM: `Pass` * DMARC: `Pass` * SPF: `Pass` * Original Delivery Location: `Inbox` * Delivery Action: `Delivered` *** #### What is the Risk Adversaries may use [Phishing](https://attack.mitre.org/techniques/T1566/) websites to gain access to victim systems. These websites may contain one or more of the following: malicious code, hyperlinks, or executable binaries. Attackers use these sites to attempt to gain a foothold into the recipient's organization, either by tricking the recipient into imputing credentials, installing malicious binaries on their computer, or running malicious code from memory. ??? `ProofPoint` does a preliminary safety check on any URL received via e-mail as an added security measure against phishing. When URLs are not rewritten, this check has not happened for the URL link in question. *** #### What is Recommended * We Recommend verifying that the user did not enter credentials as a result of this activity. If so, their password should be reset, and all active sessions should be revoked. * Examine the endpoint to ensure no malicious files were downloaded. * Additionally, we recommend blocking connections to the domain **`The Domain`**

Sharing

General

Malware Config

Signatures

Files