hxxps://es[.]sempra-infra[.]splunkcloud[.]com/en-US/app/SplunkEnterpriseSecuritySuite/search?q=search%20index%3Dglobal_proofpoint%20sourcetype%3Dproofpoint_tap_siem%20eventType%3DmessagesDelivered%20completelyRewritten%3Dfalse%20threatsInfoMap%7B%7D[.]threatStatus!%3DfalsePositive%20NOT%20%0A%20%20%20%20%5B%20inputlookup%20soc_whitelist[.]csv%20%0A%20%20%20%20%7C%20search%20rule%3D%22Sempra%20-%20Phishing%20Attack%20Against%20Off-Prem%20Mailbox%22%20%0A%20%20%20%20%7C%20rename%20src_user%20as%20headerFrom%20%0A%20%20%20%20%7C%20table%20headerFrom%5D%0A%7C%20spath%20%22fromAddress%7B%7D%22%0A%7C%20search%20fromAddress%7B%7D%3Dnoreply%40wetransfer[.]com&earliest=1712354400&latest=1712355300&sid=1712356533[.]887428&display[.]page[.]search[.]mode=verbose&dispatch[.]sample_ratio=1#

Resubmissions

05/04/2024, 22:37

Target

https://es.sempra-infra.splunkcloud.com/en-US/app/SplunkEnterpriseSecuritySuite/search?q=search%20index%3Dglobal_proofpoint%20sourcetype%3Dproofpoint_tap_siem%20eventType%3DmessagesDelivered%20completelyRewritten%3Dfalse%20threatsInfoMap%7B%7D.threatStatus!%3DfalsePositive%20NOT%20%0A%20%20%20%20%5B%20inputlookup%20soc_whitelist.csv%20%0A%20%20%20%20%7C%20search%20rule%3D%22Sempra%20-%20Phishing%20Attack%20Against%20Off-Prem%20Mailbox%22%20%0A%20%20%20%20%7C%20rename%20src_user%20as%20headerFrom%20%0A%20%20%20%20%7C%20table%20headerFrom%5D%0A%7C%20spath%20%22fromAddress%7B%7D%22%0A%7C%20search%20fromAddress%7B%7D%3Dnoreply%40wetransfer.com&earliest=1712354400&latest=1712355300&sid=1712356533.887428&display.page.search.mode=verbose&dispatch.sample_ratio=1#

Score

8^/10

phishing

A potential corporate email address has been identified in the URL: searchindexglobalproofpointsourcetypeproofpointtapsiemeventTypemessagesDeliveredcompletelyRewrittenfalsethreatsInfoMap.threatStatusfalsePositiveNOTinputlookupsocwhitelist.csvsearchruleSempraPhishingAttackAgainstOffPremMailboxrenamesrcuserasheaderFromtableheaderFromspathfromAddresssearchfromAddressnoreply@wetransfer.com
phishing