Date: 05/08/2025
Severity: Critical
Summary
We have analyzed multiple recent incidents where threat actors exploited Microsoft Teams to target victims. Posing as the organization’s Help Desk, the attackers initiate contact via Teams messages. They then attempt to persuade users to execute a Trojanized version of the GlobalProtect installer. GlobalProtect is a VPN and remote access tool used by Palo Alto Networks customers.
Indicators of Compromise (IOC) List
Domains \ Urls : | cristox.cl deuscapacitaciones.cl parusiafm.cl pathernostrum.org sancupertino.cl helpdesklocal.onmicrosoft.com ithelpdepartment.onmicrosoft.com pathernostrum.onmicrosoft.com vaihonet.com dnscomp.com leafinet.com netsapi.com nodicomtel.com okoqi.com webtpd.com zehful.com live-up.co vpn-pa.com vpnpalo.com helpdesk-rating.com vpn.fastcall.cc |
IP Address : | 164.92.67.56 45.61.136.238 45.61.136.214 107.170.37.233 161.35.151.75 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | domainname like "zehful.com" or url like "zehful.com" or domainname like "okoqi.com" or url like "okoqi.com" or domainname like "cristox.cl" or url like "cristox.cl" or siteurl like "cristox.cl" or domainname like "deuscapacitaciones.cl" or url like "deuscapacitaciones.cl" or siteurl like "deuscapacitaciones.cl" or domainname like "parusiafm.cl" or url like "parusiafm.cl" or siteurl like "parusiafm.cl" or domainname like "pathernostrum.org" or url like "pathernostrum.org" or siteurl like "pathernostrum.org" or domainname like "sancupertino.cl" or url like "sancupertino.cl" or siteurl like "sancupertino.cl" or domainname like "helpdesklocal.onmicrosoft.com" or url like "helpdesklocal.onmicrosoft.com" or siteurl like "helpdesklocal.onmicrosoft.com" or domainname like "ithelpdepartment.onmicrosoft.com" or url like "ithelpdepartment.onmicrosoft.com" or siteurl like "ithelpdepartment.onmicrosoft.com" or domainname like "pathernostrum.onmicrosoft.com" or url like "pathernostrum.onmicrosoft.com" or siteurl like "pathernostrum.onmicrosoft.com" or domainname like "vaihonet.com" or url like "vaihonet.com" or siteurl like "vaihonet.com" or domainname like "dnscomp.com" or url like "dnscomp.com" or siteurl like "dnscomp.com" or domainname like "leafinet.com" or url like "leafinet.com" or siteurl like "leafinet.com" or domainname like "netsapi.com" or url like "netsapi.com" or siteurl like "netsapi.com" or domainname like "nodicomtel.com" or url like "nodicomtel.com" or siteurl like "nodicomtel.com" or domainname like "webtpd.com" or url like "webtpd.com" or siteurl like "webtpd.com" or domainname like "live-up.co" or url like "live-up.co" or siteurl like "live-up.co" or domainname like "vpn-pa.com" or url like "vpn-pa.com" or siteurl like "vpn-pa.com" or domainname like "vpnpalo.com" or url like "vpnpalo.com" or siteurl like "vpnpalo.com" or domainname like "helpdesk-rating.com" or url like "helpdesk-rating.com" or siteurl like "helpdesk-rating.com" or domainname like "vpn.fastcall.cc" or url like "vpn.fastcall.cc" or siteurl like "vpn.fastcall.cc" |
IP Address : | dstipaddress IN ("45.61.136.214","164.92.67.56","45.61.136.238","107.170.37.233","161.35.151.75") or srcipaddress IN ("45.61.136.214","164.92.67.56","45.61.136.238","107.170.37.233","161.35.151.75") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-07-IOCs-from-Teams-phishing-for-MadMxShell.txt