Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

    Friday, November 1, 2024 In: Threat Research Print

    Date: 11/01/2024

    Severity: High

    Summary

    The report "Midnight Blizzard Conducts Large-Scale Spear-Phishing Campaign Using RDP Files" highlights a sophisticated phishing operation conducted by the threat actor group known as Midnight Blizzard. The campaign involves sending malicious Remote Desktop Protocol (RDP) files to targeted individuals to gain unauthorized access to their systems. This tactic aims to exploit the growing reliance on remote work technologies. The report emphasizes the group's focus on specific sectors and suggests that organizations should enhance their security measures and employee training to defend against such targeted phishing attacks.

    Indicators of Compromise (IOC) List

    URL/Domain

    ap-northeast-1-aws.s3-ua.cloud

    ap-northeast-1-aws.ukrainesec.cloud

    ca-central-1.gov-ua.cloud

    ca-central-1.ua-gov.cloud

    ca-west-1.aws-ukraine.cloud

    ca-west-1.mfa-gov.cloud

    ca-west-1.ukrtelecom.cloud

    central-2-aws.ua-mil.cloud

    central-2-aws.ua-sec.cloud

    central-2-aws.ukrainesec.cloud

    central-2-aws.ukrtelecom.cloud

    eu-central-1.difesa-it.cloud

    eu-central-1.mfa-gov.cloud

    eu-central-1.mil-be.cloud

    eu-central-1.mil-pl.cloud

    eu-central-1.minbuza.cloud

    eu-central-1.mindef-nl.cloud

    eu-central-1.msz-pl.cloud

    eu-central-1.quirinale.cloud

    eu-central-1.regeringskansliet-se.cloud

    eu-central-1.s3-be.cloud

    eu-central-1.s3-esa.cloud

    eu-central-1.s3-nato.cloud

    eu-central-1.ua-gov.cloud

    eu-central-1.ua-sec.cloud

    eu-central-1.ukrtelecom.cloud

    eu-central-1-aws.amazonsolutions.cloud

    eu-central-1-aws.dep-no.cloud

    eu-central-1-aws.gov-pl.cloud

    eu-central-1-aws.gov-sk.cloud

    eu-central-1-aws.gov-trust.cloud

    eu-central-1-aws.mfa-gov.cloud

    eu-central-1-aws.minbuza.cloud

    eu-central-1-aws.mindef-nl.cloud

    eu-central-1-aws.msz-pl.cloud

    eu-central-1-aws.mzv-sk.cloud

    eu-central-1-aws.ncfta.cloud

    eu-central-1-aws.presidencia-pt.cloud

    eu-central-1-aws.quirinale.cloud

    eu-central-1-aws.regeringskansliet-se.cloud

    eu-central-1-aws.s3-be.cloud

    eu-central-1-aws.s3-ua.cloud

    eu-central-1-aws.ua-gov.cloud

    eu-central-1-aws.ukrainesec.cloud

    eu-central-2-aws.amazonsolutions.cloud

    eu-central-2-aws.aws-ukraine.cloud

    eu-central-2-aws.dep-no.cloud

    eu-central-2-aws.gov-pl.cloud

    eu-central-2-aws.gov-sk.cloud

    eu-central-2-aws.mil-be.cloud

    eu-central-2-aws.mil-pl.cloud

    eu-central-2-aws.mindef-nl.cloud

    eu-central-2-aws.msz-pl.cloud

    eu-central-2-aws.mzv-sk.cloud

    eu-central-2-aws.presidencia-pt.cloud

    eu-central-2-aws.regeringskansliet-se.cloud

    eu-central-2-aws.s3-be.cloud

    eu-central-2-aws.ua-gov.cloud

    eu-central-2-aws.ua-mil.cloud

    eu-central-2-aws.ukrtelecom.cloud

    eu-east-1-aws.amazonsolutions.cloud

    eu-east-1-aws.dep-no.cloud

    eu-east-1-aws.gov-sk.cloud

    eu-east-1-aws.gov-ua.cloud

    eu-east-1-aws.mil-be.cloud

    eu-east-1-aws.mil-pl.cloud

    eu-east-1-aws.minbuza.cloud

    eu-east-1-aws.mindef-nl.cloud

    eu-east-1-aws.msz-pl.cloud

    eu-east-1-aws.mzv-sk.cloud

    eu-east-1-aws.quirinale.cloud

    eu-east-1-aws.regeringskansliet-se.cloud

    eu-east-1-aws.s3-be.cloud

    eu-east-1-aws.s3-de.cloud

    eu-east-1-aws.ua-gov.cloud

    eu-east-1-aws.ua-sec.cloud

    eu-east-1-aws.ukrtelecom.cloud

    eu-north-1.difesa-it.cloud

    eu-north-1.gov-trust.cloud

    eu-north-1.gov-ua.cloud

    eu-north-1.gv-at.cloud

    eu-north-1.mil-be.cloud

    eu-north-1.mil-pl.cloud

    eu-north-1.mzv-sk.cloud

    eu-north-1.ncfta.cloud

    eu-north-1.regeringskansliet-se.cloud

    eu-north-1.s3-be.cloud

    eu-north-1.s3-de.cloud

    eu-north-1.s3-ua.cloud

    eu-north-1-aws.dep-no.cloud

    eu-north-1-aws.difesa-it.cloud

    eu-north-1-aws.gov-pl.cloud

    eu-north-1-aws.gov-sk.cloud

    eu-north-1-aws.mil-be.cloud

    eu-north-1-aws.mil-pl.cloud

    eu-north-1-aws.minbuza.cloud

    eu-north-1-aws.ncfta.cloud

    eu-north-1-aws.presidencia-pt.cloud

    eu-north-1-aws.quirinale.cloud

    eu-north-1-aws.regeringskansliet-se.cloud

    eu-north-1-aws.s3-be.cloud

    eu-north-1-aws.s3-de.cloud

    eu-north-1-aws.ua-energy.cloud

    eu-north-1-aws.ua-gov.cloud

    eu-south-1-aws.admin-ch.cloud

    eu-south-1-aws.dep-no.cloud

    eu-south-1-aws.difesa-it.cloud

    eu-south-1-aws.gov-pl.cloud

    eu-south-1-aws.gov-trust.cloud

    eu-south-1-aws.mfa-gov.cloud

    eu-south-1-aws.mil-be.cloud

    eu-south-1-aws.minbuza.cloud

    eu-south-1-aws.mzv-sk.cloud

    eu-south-1-aws.quirinale.cloud

    eu-south-1-aws.s3-be.cloud

    eu-south-1-aws.s3-de.cloud

    eu-south-1-aws.ua-gov.cloud

    eu-south-2.dep-no.cloud

    eu-south-2.gov-pl.cloud

    eu-south-2.gov-sk.cloud

    eu-south-2.mil-be.cloud

    eu-south-2.mil-pl.cloud

    eu-south-2.mindef-nl.cloud

    eu-south-2.s3-be.cloud

    eu-south-2.s3-de.cloud

    eu-south-2.s3-esa.cloud

    eu-south-2.s3-nato.cloud

    eu-south-2.ua-sec.cloud

    eu-south-2.ukrainesec.cloud

    eu-south-2-aws.amazonsolutions.cloud

    eu-south-2-aws.dep-no.cloud

    eu-south-2-aws.gov-pl.cloud

    eu-south-2-aws.gov-sk.cloud

    eu-south-2-aws.mfa-gov.cloud

    eu-south-2-aws.mil-be.cloud

    eu-south-2-aws.mil-pl.cloud

    eu-south-2-aws.mil-pt.cloud

    eu-south-2-aws.minbuza.cloud

    eu-south-2-aws.msz-pl.cloud

    eu-south-2-aws.mzv-sk.cloud

    eu-south-2-aws.ncfta.cloud

    eu-south-2-aws.quirinale.cloud

    eu-south-2-aws.regeringskansliet-se.cloud

    eu-south-2-aws.s3-be.cloud

    eu-south-2-aws.s3-de.cloud

    eu-south-2-aws.s3-esa.cloud

    eu-south-2-aws.s3-nato.cloud

    eu-south-2-aws.s3-ua.cloud

    eu-south-2-aws.ua-gov.cloud

    eu-southeast-1-aws.amazonsolutions.cloud

    eu-southeast-1-aws.aws-ukraine.cloud

    eu-southeast-1-aws.dep-no.cloud

    eu-southeast-1-aws.difesa-it.cloud

    eu-southeast-1-aws.gov-sk.cloud

    eu-southeast-1-aws.gov-trust.cloud

    eu-southeast-1-aws.mil-be.cloud

    eu-southeast-1-aws.mil-pl.cloud

    eu-southeast-1-aws.mindef-nl.cloud

    eu-southeast-1-aws.msz-pl.cloud

    eu-southeast-1-aws.mzv-cz.cloud

    eu-southeast-1-aws.mzv-sk.cloud

    eu-southeast-1-aws.quirinale.cloud

    eu-southeast-1-aws.s3-be.cloud

    eu-southeast-1-aws.s3-de.cloud

    eu-southeast-1-aws.s3-esa.cloud

    eu-southeast-1-aws.s3-ua.cloud

    eu-southeast-1-aws.ua-energy.cloud

    eu-southeast-1-aws.ukrainesec.cloud

    eu-west-1.aws-ukraine.cloud

    eu-west-1.difesa-it.cloud

    eu-west-1.gov-sk.cloud

    eu-west-1.mil-be.cloud

    eu-west-1.mil-pl.cloud

    eu-west-1.minbuza.cloud

    eu-west-1.msz-pl.cloud

    eu-west-1.mzv-sk.cloud

    eu-west-1.regeringskansliet-se.cloud

    eu-west-1.s3-de.cloud

    eu-west-1.s3-esa.cloud

    eu-west-1.s3-ua.cloud

    eu-west-1.ua-gov.cloud

    eu-west-1.ukrtelecom.cloud

    eu-west-1-aws.amazonsolutions.cloud

    eu-west-1-aws.aws-ukraine.cloud

    eu-west-1-aws.dep-no.cloud

    eu-west-1-aws.gov-pl.cloud

    eu-west-1-aws.gov-sk.cloud

    eu-west-1-aws.gov-trust.cloud

    eu-west-1-aws.gov-ua.cloud

    eu-west-1-aws.mil-be.cloud

    eu-west-1-aws.mil-pl.cloud

    eu-west-1-aws.minbuza.cloud

    eu-west-1-aws.quirinale.cloud

    eu-west-1-aws.s3-be.cloud

    eu-west-1-aws.s3-de.clou

    eu-west-1-aws.s3-esa.cloud

    eu-west-1-aws.s3-nato.cloud

    eu-west-1-aws.ua-sec.cloud

    eu-west-1-aws.ukrainesec.cloud

    eu-west-2-aws.amazonsolutions.cloud

    eu-west-2-aws.dep-no.cloud

    eu-west-2-aws.difesa-it.cloud

    eu-west-2-aws.gov-pl.cloud

    eu-west-2-aws.gov-sk.cloud

    eu-west-2-aws.gv-at.cloud

    eu-west-2-aws.mil-be.cloud

    eu-west-2-aws.mil-pl.cloud

    eu-west-2-aws.minbuza.cloud

    eu-west-2-aws.mindef-nl.cloud

    eu-west-2-aws.msz-pl.cloud

    eu-west-2-aws.mzv-sk.cloud

    eu-west-2-aws.quirinale.cloud

    eu-west-2-aws.s3-be.cloud

    eu-west-2-aws.s3-de.cloud

    eu-west-2-aws.s3-esa.cloud

    eu-west-2-aws.s3-nato.cloud

    eu-west-2-aws.s3-ua.cloud

    eu-west-2-aws.ua-sec.cloud

    eu-west-3.amazonsolutions.cloud

    eu-west-3.aws-ukraine.cloud

    eu-west-3.mil-be.cloud

    eu-west-3.mil-pl.cloud

    eu-west-3.minbuza.cloud

    eu-west-3.mindef-nl.cloud

    eu-west-3.msz-pl.cloud

    eu-west-3.mzv-sk.cloud

    eu-west-3.presidencia-pt.cloud

    eu-west-3.s3-be.cloud

    eu-west-3.s3-ua.cloud

    eu-west-3.ukrainesec.cloud

    eu-west-3.ukrtelecom.cloud

    eu-west-3-aws.aws-ukraine.cloud

    eu-west-3-aws.dep-no.cloud

    eu-west-3-aws.difesa-it.cloud

    eu-west-3-aws.gov-pl.cloud

    eu-west-3-aws.gov-sk.cloud

    eu-west-3-aws.gov-trust.cloud

    eu-west-3-aws.mil-be.cloud

    eu-west-3-aws.mil-pl.cloud

    eu-west-3-aws.mil-pt.cloud

    eu-west-3-aws.minbuza.cloud

    eu-west-3-aws.mindef-nl.cloud

    eu-west-3-aws.msz-pl.cloud

    eu-west-3-aws.mzv-sk.cloud

    eu-west-3-aws.quirinale.cloud

    eu-west-3-aws.regeringskansliet-se.cloud

    eu-west-3-aws.s3-be.cloud

    eu-west-3-aws.s3-ua.cloud

    eu-west-3-aws.ua-mil.cloud

    us-east-1-aws.mfa-gov.cloud

    us-east-1-aws.s3-ua.cloud

    us-east-1-aws.ua-gov.cloud

    us-east-1-aws.ua-sec.cloud

    us-east-2.aws-ukraine.cloud

    us-east-2.gov-ua.cloud

    us-east-2.ua-sec.cloud

    us-east-2.ukrainesec.cloud

    us-east-2-aws.gov-ua.cloud

    us-east-2-aws.ua-gov.cloud

    us-east-2-aws.ukrtelecom.cloud

    us-east-console.aws-ukraine.cloud

    us-east-console.ua-energy.cloud

    us-west-1.aws-ukraine.cloud

    us-west-1.ua-energy.cloud

    us-west-1.ua-gov.cloud

    us-west-1.ukrtelecom.cloud

    us-west-1-amazon.ua-energy.cloud

    us-west-1-amazon.ua-mil.cloud

    us-west-1-amazon.ua-sec.cloud

    us-west-1-aws.gov-ua.cloud

    us-west-2.gov-ua.cloud

    us-west-2.ua-energy.cloud

    us-west-2.ua-sec.cloud

    us-west-2-aws.mfa-gov.cloud

    us-west-2-aws.s3-ua.cloud

    us-west-2-aws.ua-energy.cloud

    Email

    sellar.co.uk

    townoflakelure.com

    totalconstruction.com.au

    swpartners.com.au

    cewalton.com

    Filename

    AWS IAM Compliance Check.rdp

    AWS IAM Configuration.rdp

    AWS IAM Quick Start.rdp

    AWS SDE Compliance Check.rdp

    AWS SDE Environment Check.rdp

    AWS SDE Environment Check.rdp 

    AWS Secure Data Exchange – Compliance Check.rdp

    AWS Secure Data Exchange Compliance.rdp

    Device Configuration Verification.rdp

    Device Security Requirements Check.rdp

    IAM Identity Center Access.rdp

    IAM Identity Center Application Access.rdp

    Zero Trust Architecture Configuration.rdp

    Zero Trust Security Environment Compliance Check.rdp

    ZTS Device Compatibility Test.rdp

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "central-2-aws.ua-mil.cloud" or url like "central-2-aws.ua-mil.cloud" or userdomainname like "us-west-2-aws.ua-energy.cloud" or url like "us-west-2-aws.ua-energy.cloud" or userdomainname like "eu-south-2-aws.mzv-sk.cloud" or url like "eu-south-2-aws.mzv-sk.cloud" or userdomainname like "eu-south-1-aws.mil-be.cloud" or url like "eu-south-1-aws.mil-be.cloud" or userdomainname like "eu-south-2.ua-sec.cloud" or url like "eu-south-2.ua-sec.cloud" or userdomainname like "eu-west-1.ua-gov.cloud" or url like "eu-west-1.ua-gov.cloud" or userdomainname like "eu-west-1.s3-esa.cloud" or url like "eu-west-1.s3-esa.cloud" or userdomainname like "ap-northeast-1-aws.s3-ua.cloud" or url like "ap-northeast-1-aws.s3-ua.cloud" or userdomainname like "eu-north-1-aws.s3-de.cloud" or url like "eu-north-1-aws.s3-de.cloud" or userdomainname like "eu-east-1-aws.ukrtelecom.cloud" or url like "eu-east-1-aws.ukrtelecom.cloud" or userdomainname like "eu-west-3-aws.aws-ukraine.cloud" or url like "eu-west-3-aws.aws-ukraine.cloud" or userdomainname like "eu-central-1-aws.mindef-nl.cloud" or url like "eu-central-1-aws.mindef-nl.cloud" or userdomainname like "eu-north-1.gov-ua.cloud" or url like "eu-north-1.gov-ua.cloud" or userdomainname like "eu-south-2-aws.s3-esa.cloud" or url like "eu-south-2-aws.s3-esa.cloud" or userdomainname like "eu-central-1.mil-be.cloud" or url like "eu-central-1.mil-be.cloud" or userdomainname like "eu-west-1.regeringskansliet-se.cloud" or url like "eu-west-1.regeringskansliet-se.cloud" or userdomainname like "us-east-2-aws.gov-ua.cloud" or url like "us-east-2-aws.gov-ua.cloud" or userdomainname like "eu-southeast-1-aws.ukrainesec.cloud" or url like "eu-southeast-1-aws.ukrainesec.cloud" or userdomainname like "eu-west-3-aws.mindef-nl.cloud" or url like "eu-west-3-aws.mindef-nl.cloud" or userdomainname like "eu-central-1-aws.s3-ua.cloud" or url like "eu-central-1-aws.s3-ua.cloud" or userdomainname like "eu-west-1.mil-be.cloud" or url like "eu-west-1.mil-be.cloud" or userdomainname like "eu-central-1.difesa-it.cloud" or url like "eu-central-1.difesa-it.cloud" or userdomainname like "eu-west-2-aws.s3-de.cloud" or url like "eu-west-2-aws.s3-de.cloud" or userdomainname like "central-2-aws.ukrtelecom.cloud" or url like "central-2-aws.ukrtelecom.cloud" or userdomainname like "eu-north-1-aws.mil-be.cloud" or url like "eu-north-1-aws.mil-be.cloud" or userdomainname like "eu-west-1-aws.mil-be.cloud" or url like "eu-west-1-aws.mil-be.cloud" or userdomainname like "eu-west-3.msz-pl.cloud" or url like "eu-west-3.msz-pl.cloud" or userdomainname like "eu-south-1-aws.s3-de.cloud" or url like "eu-south-1-aws.s3-de.cloud" or userdomainname like "eu-central-2-aws.mil-pl.cloud" or url like "eu-central-2-aws.mil-pl.cloud" or userdomainname like "eu-north-1-aws.quirinale.cloud" or url like "eu-north-1-aws.quirinale.cloud" or userdomainname like "eu-west-3.presidencia-pt.cloud" or url like "eu-west-3.presidencia-pt.cloud" or userdomainname like "us-west-2-aws.s3-ua.cloud" or url like "us-west-2-aws.s3-ua.cloud" or userdomainname like "eu-east-1-aws.s3-be.cloud" or url like "eu-east-1-aws.s3-be.cloud" or userdomainname like "eu-southeast-1-aws.quirinale.cloud" or url like "eu-southeast-1-aws.quirinale.cloud" or userdomainname like "eu-north-1-aws.s3-be.cloud" or url like "eu-north-1-aws.s3-be.cloud" or userdomainname like "eu-southeast-1-aws.gov-trust.cloud" or url like "eu-southeast-1-aws.gov-trust.cloud" or userdomainname like "eu-south-2-aws.mil-be.cloud" or url like "eu-south-2-aws.mil-be.cloud" or userdomainname like "eu-east-1-aws.msz-pl.cloud" or url like "eu-east-1-aws.msz-pl.cloud" or userdomainname like "eu-south-2-aws.msz-pl.cloud" or url like "eu-south-2-aws.msz-pl.cloud" or userdomainname like "eu-west-2-aws.dep-no.cloud" or url like "eu-west-2-aws.dep-no.cloud" or userdomainname like "eu-east-1-aws.mindef-nl.cloud" or url like "eu-east-1-aws.mindef-nl.cloud" or userdomainname like "eu-south-2-aws.amazonsolutions.cloud" or url like "eu-south-2-aws.amazonsolutions.cloud" or userdomainname like "eu-west-1.mzv-sk.cloud" or url like "eu-west-1.mzv-sk.cloud" or userdomainname like "us-west-1-amazon.ua-energy.cloud" or url like "us-west-1-amazon.ua-energy.cloud" or userdomainname like "eu-west-2-aws.mzv-sk.cloud" or url like "eu-west-2-aws.mzv-sk.cloud" or userdomainname like "eu-south-2.dep-no.cloud" or url like "eu-south-2.dep-no.cloud" or userdomainname like "eu-south-2.s3-nato.cloud" or url like "eu-south-2.s3-nato.cloud" or userdomainname like "eu-west-3-aws.dep-no.cloud" or url like "eu-west-3-aws.dep-no.cloud" or userdomainname like "eu-west-3.aws-ukraine.cloud" or url like "eu-west-3.aws-ukraine.cloud" or userdomainname like "eu-southeast-1-aws.mzv-cz.cloud" or url like "eu-southeast-1-aws.mzv-cz.cloud" or userdomainname like "eu-south-1-aws.mzv-sk.cloud" or url like "eu-south-1-aws.mzv-sk.cloud" or userdomainname like "eu-west-3.minbuza.cloud" or url like "eu-west-3.minbuza.cloud" or userdomainname like "eu-north-1-aws.difesa-it.cloud" or url like "eu-north-1-aws.difesa-it.cloud" or userdomainname like "eu-central-1-aws.dep-no.cloud" or url like "eu-central-1-aws.dep-no.cloud"

    Detection Query 2

    userdomainname like "eu-central-1.msz-pl.cloud" or url like "eu-central-1.msz-pl.cloud" or userdomainname like "ca-central-1.gov-ua.cloud" or url like "ca-central-1.gov-ua.cloud" or userdomainname like "eu-central-1-aws.s3-be.cloud" or url like "eu-central-1-aws.s3-be.cloud" or userdomainname like "eu-south-1-aws.gov-pl.cloud" or url like "eu-south-1-aws.gov-pl.cloud" or userdomainname like "eu-central-1.regeringskansliet-se.cloud" or url like "eu-central-1.regeringskansliet-se.cloud" or userdomainname like "eu-south-2-aws.minbuza.cloud" or url like "eu-south-2-aws.minbuza.cloud" or userdomainname like "eu-southeast-1-aws.ua-energy.cloud" or url like "eu-southeast-1-aws.ua-energy.cloud" or userdomainname like "us-west-2.gov-ua.cloud" or url like "us-west-2.gov-ua.cloud" or userdomainname like "eu-south-2.s3-be.cloud" or url like "eu-south-2.s3-be.cloud" or userdomainname like "eu-central-2-aws.amazonsolutions.cloud" or url like "eu-central-2-aws.amazonsolutions.cloud" or userdomainname like "eu-south-2-aws.ua-gov.cloud" or url like "eu-south-2-aws.ua-gov.cloud" or userdomainname like "eu-west-1-aws.ukrainesec.cloud" or url like "eu-west-1-aws.ukrainesec.cloud" or userdomainname like "eu-south-1-aws.ua-gov.cloud" or url like "eu-south-1-aws.ua-gov.cloud" or userdomainname like "eu-south-1-aws.difesa-it.cloud" or url like "eu-south-1-aws.difesa-it.cloud" or userdomainname like "eu-west-2-aws.gov-pl.cloud" or url like "eu-west-2-aws.gov-pl.cloud" or userdomainname like "eu-central-1.mfa-gov.cloud" or url like "eu-central-1.mfa-gov.cloud" or userdomainname like "eu-central-1.ua-gov.cloud" or url like "eu-central-1.ua-gov.cloud" or userdomainname like "eu-central-1-aws.minbuza.cloud" or url like "eu-central-1-aws.minbuza.cloud" or userdomainname like "eu-south-2.mil-be.cloud" or url like "eu-south-2.mil-be.cloud" or userdomainname like "eu-west-2-aws.msz-pl.cloud" or url like "eu-west-2-aws.msz-pl.cloud" or userdomainname like "eu-central-1-aws.regeringskansliet-se.cloud" or url like "eu-central-1-aws.regeringskansliet-se.cloud" or userdomainname like "us-west-1.ua-energy.cloud" or url like "us-west-1.ua-energy.cloud" or userdomainname like "eu-central-1-aws.mzv-sk.cloud" or url like "eu-central-1-aws.mzv-sk.cloud" or userdomainname like "eu-central-1.quirinale.cloud" or url like "eu-central-1.quirinale.cloud" or userdomainname like "eu-west-2-aws.mindef-nl.cloud" or url like "eu-west-2-aws.mindef-nl.cloud" or userdomainname like "us-east-2.gov-ua.cloud" or url like "us-east-2.gov-ua.cloud" or userdomainname like "eu-north-1.regeringskansliet-se.cloud" or url like "eu-north-1.regeringskansliet-se.cloud" or userdomainname like "eu-southeast-1-aws.mzv-sk.cloud" or url like "eu-southeast-1-aws.mzv-sk.cloud" or userdomainname like "eu-west-3-aws.msz-pl.cloud" or url like "eu-west-3-aws.msz-pl.cloud" or userdomainname like "us-west-1.ua-gov.cloud" or url like "us-west-1.ua-gov.cloud" or userdomainname like "eu-southeast-1-aws.s3-ua.cloud" or url like "eu-southeast-1-aws.s3-ua.cloud" or userdomainname like "eu-south-2-aws.gov-sk.cloud" or url like "eu-south-2-aws.gov-sk.cloud" or userdomainname like "eu-south-1-aws.mfa-gov.cloud" or url like "eu-south-1-aws.mfa-gov.cloud" or userdomainname like "eu-south-2.gov-pl.cloud" or url like "eu-south-2.gov-pl.cloud" or userdomainname like "eu-east-1-aws.gov-sk.cloud" or url like "eu-east-1-aws.gov-sk.cloud" or userdomainname like "eu-south-2-aws.s3-de.cloud" or url like "eu-south-2-aws.s3-de.cloud" or userdomainname like "central-2-aws.ua-sec.cloud" or url like "central-2-aws.ua-sec.cloud" or userdomainname like "eu-west-2-aws.gv-at.cloud" or url like "eu-west-2-aws.gv-at.cloud" or userdomainname like "eu-north-1.gov-trust.cloud" or url like "eu-north-1.gov-trust.cloud" or userdomainname like "eu-west-1-aws.gov-ua.cloud" or url like "eu-west-1-aws.gov-ua.cloud" or userdomainname like "eu-west-3-aws.ua-mil.cloud" or url like "eu-west-3-aws.ua-mil.cloud" or userdomainname like "eu-west-2-aws.s3-nato.cloud" or url like "eu-west-2-aws.s3-nato.cloud" or userdomainname like "eu-central-2-aws.s3-be.cloud" or url like "eu-central-2-aws.s3-be.cloud" or userdomainname like "eu-west-3.mil-be.cloud" or url like "eu-west-3.mil-be.cloud" or userdomainname like "eu-west-1.s3-de.cloud" or url like "eu-west-1.s3-de.cloud" or userdomainname like "eu-west-3-aws.difesa-it.cloud" or url like "eu-west-3-aws.difesa-it.cloud" or userdomainname like "eu-west-3-aws.gov-trust.cloud" or url like "eu-west-3-aws.gov-trust.cloud" or userdomainname like "eu-west-3-aws.mzv-sk.cloud" or url like "eu-west-3-aws.mzv-sk.cloud" or userdomainname like "ca-central-1.ua-gov.cloud" or url like "ca-central-1.ua-gov.cloud" or userdomainname like "eu-west-1.gov-sk.cloud" or url like "eu-west-1.gov-sk.cloud" or userdomainname like "eu-west-1.mil-pl.cloud" or url like "eu-west-1.mil-pl.cloud" or userdomainname like "eu-north-1-aws.ncfta.cloud" or url like "eu-north-1-aws.ncfta.cloud" or userdomainname like "eu-south-1-aws.minbuza.cloud" or url like "eu-south-1-aws.minbuza.cloud" or userdomainname like "us-west-1-aws.gov-ua.cloud" or url like "us-west-1-aws.gov-ua.cloud" or userdomainname like "eu-southeast-1-aws.s3-be.cloud" or url like "eu-southeast-1-aws.s3-be.cloud" or userdomainname like "eu-west-1-aws.gov-trust.cloud" or url like "eu-west-1-aws.gov-trust.cloud" or userdomainname like "us-east-1-aws.ua-sec.cloud" or url like "us-east-1-aws.ua-sec.cloud" or userdomainname like "eu-central-2-aws.regeringskansliet-se.cloud" or url like "eu-central-2-aws.regeringskansliet-se.cloud" or userdomainname like "eu-west-3-aws.s3-ua.cloud" or url like "eu-west-3-aws.s3-ua.cloud" or userdomainname like "eu-north-1.s3-ua.cloud" or url like "eu-north-1.s3-ua.cloud" or userdomainname like "eu-west-1.ukrtelecom.cloud" or url like "eu-west-1.ukrtelecom.cloud" or userdomainname like "eu-north-1-aws.minbuza.cloud" or url like "eu-north-1-aws.minbuza.cloud" or userdomainname like "eu-west-2-aws.quirinale.cloud" or url like "eu-west-2-aws.quirinale.cloud" or userdomainname like "eu-central-1.mindef-nl.cloud" or url like "eu-central-1.mindef-nl.cloud" or userdomainname like "eu-west-1-aws.minbuza.cloud" or url like "eu-west-1-aws.minbuza.cloud"

    Detection Query 3

    userdomainname like "eu-east-1-aws.dep-no.cloud" or url like "eu-east-1-aws.dep-no.cloud" or userdomainname like "us-east-1-aws.mfa-gov.cloud" or url like "us-east-1-aws.mfa-gov.cloud" or userdomainname like "eu-central-2-aws.presidencia-pt.cloud" or url like "eu-central-2-aws.presidencia-pt.cloud" or userdomainname like "eu-west-1-aws.amazonsolutions.cloud" or url like "eu-west-1-aws.amazonsolutions.cloud" or userdomainname like "eu-west-3.mil-pl.cloud" or url like "eu-west-3.mil-pl.cloud" or userdomainname like "eu-west-3.ukrtelecom.cloud" or url like "eu-west-3.ukrtelecom.cloud" or userdomainname like "eu-west-2-aws.amazonsolutions.cloud" or url like "eu-west-2-aws.amazonsolutions.cloud" or userdomainname like "eu-central-2-aws.ua-gov.cloud" or url like "eu-central-2-aws.ua-gov.cloud" or userdomainname like "eu-west-3-aws.mil-be.cloud" or url like "eu-west-3-aws.mil-be.cloud" or userdomainname like "eu-north-1.mil-pl.cloud" or url like "eu-north-1.mil-pl.cloud" or userdomainname like "eu-west-1-aws.s3-be.cloud" or url like "eu-west-1-aws.s3-be.cloud" or userdomainname like "us-east-console.aws-ukraine.cloud" or url like "us-east-console.aws-ukraine.cloud" or userdomainname like "us-west-2.ua-energy.cloud" or url like "us-west-2.ua-energy.cloud" or userdomainname like "eu-central-2-aws.mindef-nl.cloud" or url like "eu-central-2-aws.mindef-nl.cloud" or userdomainname like "eu-east-1-aws.amazonsolutions.cloud" or url like "eu-east-1-aws.amazonsolutions.cloud" or userdomainname like "eu-west-2-aws.s3-esa.cloud" or url like "eu-west-2-aws.s3-esa.cloud" or userdomainname like "eu-west-3-aws.gov-sk.cloud" or url like "eu-west-3-aws.gov-sk.cloud" or userdomainname like "eu-central-1-aws.gov-pl.cloud" or url like "eu-central-1-aws.gov-pl.cloud" or userdomainname like "eu-central-1-aws.gov-trust.cloud" or url like "eu-central-1-aws.gov-trust.cloud" or userdomainname like "ca-west-1.mfa-gov.cloud" or url like "ca-west-1.mfa-gov.cloud" or userdomainname like "eu-south-1-aws.admin-ch.cloud" or url like "eu-south-1-aws.admin-ch.cloud" or userdomainname like "eu-north-1-aws.regeringskansliet-se.cloud" or url like "eu-north-1-aws.regeringskansliet-se.cloud" or userdomainname like "eu-south-2-aws.mfa-gov.cloud" or url like "eu-south-2-aws.mfa-gov.cloud" or userdomainname like "eu-north-1.ncfta.cloud" or url like "eu-north-1.ncfta.cloud" or userdomainname like "eu-central-1-aws.gov-sk.cloud" or url like "eu-central-1-aws.gov-sk.cloud" or userdomainname like "us-west-1.ukrtelecom.cloud" or url like "us-west-1.ukrtelecom.cloud" or userdomainname like "eu-east-1-aws.s3-de.cloud" or url like "eu-east-1-aws.s3-de.cloud" or userdomainname like "eu-east-1-aws.ua-gov.cloud" or url like "eu-east-1-aws.ua-gov.cloud" or userdomainname like "eu-north-1-aws.dep-no.cloud" or url like "eu-north-1-aws.dep-no.cloud" or userdomainname like "eu-east-1-aws.gov-ua.cloud" or url like "eu-east-1-aws.gov-ua.cloud" or userdomainname like "eu-north-1.difesa-it.cloud" or url like "eu-north-1.difesa-it.cloud" or userdomainname like "eu-west-1.minbuza.cloud" or url like "eu-west-1.minbuza.cloud" or userdomainname like "eu-central-1-aws.quirinale.cloud" or url like "eu-central-1-aws.quirinale.cloud" or userdomainname like "eu-south-2-aws.s3-be.cloud" or url like "eu-south-2-aws.s3-be.cloud" or userdomainname like "eu-southeast-1-aws.s3-esa.cloud" or url like "eu-southeast-1-aws.s3-esa.cloud" or userdomainname like "eu-north-1-aws.mil-pl.cloud" or url like "eu-north-1-aws.mil-pl.cloud" or userdomainname like "eu-central-2-aws.aws-ukraine.cloud" or url like "eu-central-2-aws.aws-ukraine.cloud" or userdomainname like "eu-southeast-1-aws.mil-pl.cloud" or url like "eu-southeast-1-aws.mil-pl.cloud" or userdomainname like "eu-east-1-aws.regeringskansliet-se.cloud" or url like "eu-east-1-aws.regeringskansliet-se.cloud" or userdomainname like "eu-east-1-aws.minbuza.cloud" or url like "eu-east-1-aws.minbuza.cloud" or userdomainname like "eu-central-1-aws.msz-pl.cloud" or url like "eu-central-1-aws.msz-pl.cloud" or userdomainname like "eu-west-1-aws.aws-ukraine.cloud" or url like "eu-west-1-aws.aws-ukraine.cloud" or userdomainname like "eu-west-2-aws.s3-ua.cloud" or url like "eu-west-2-aws.s3-ua.cloud" or userdomainname like "eu-central-1.s3-esa.cloud" or url like "eu-central-1.s3-esa.cloud" or userdomainname like "eu-south-2-aws.ncfta.cloud" or url like "eu-south-2-aws.ncfta.cloud" or userdomainname like "eu-central-1-aws.ukrainesec.cloud" or url like "eu-central-1-aws.ukrainesec.cloud" or userdomainname like "eu-central-2-aws.dep-no.cloud" or url like "eu-central-2-aws.dep-no.cloud" or userdomainname like "us-east-2.aws-ukraine.cloud" or url like "us-east-2.aws-ukraine.cloud" or userdomainname like "eu-southeast-1-aws.amazonsolutions.cloud" or url like "eu-southeast-1-aws.amazonsolutions.cloud" or userdomainname like "eu-southeast-1-aws.mil-be.cloud" or url like "eu-southeast-1-aws.mil-be.cloud" or userdomainname like "eu-east-1-aws.mil-pl.cloud" or url like "eu-east-1-aws.mil-pl.cloud" or userdomainname like "eu-west-1-aws.gov-sk.cloud" or url like "eu-west-1-aws.gov-sk.cloud" or userdomainname like "eu-south-2-aws.regeringskansliet-se.cloud" or url like "eu-south-2-aws.regeringskansliet-se.cloud" or userdomainname like "eu-west-3-aws.s3-be.cloud" or url like "eu-west-3-aws.s3-be.cloud" or userdomainname like "eu-west-3-aws.mil-pl.cloud" or url like "eu-west-3-aws.mil-pl.cloud" or userdomainname like "eu-central-1.ua-sec.cloud" or url like "eu-central-1.ua-sec.cloud" or userdomainname like "eu-central-2-aws.msz-pl.cloud" or url like "eu-central-2-aws.msz-pl.cloud" or userdomainname like "eu-southeast-1-aws.gov-sk.cloud" or url like "eu-southeast-1-aws.gov-sk.cloud" or userdomainname like "eu-west-2-aws.mil-be.cloud" or url like "eu-west-2-aws.mil-be.cloud" or userdomainname like "eu-west-1-aws.ua-sec.cloud" or url like "eu-west-1-aws.ua-sec.cloud" or userdomainname like "us-east-2-aws.ukrtelecom.cloud" or url like "us-east-2-aws.ukrtelecom.cloud" or userdomainname like "eu-south-1-aws.dep-no.cloud" or url like "eu-south-1-aws.dep-no.cloud" or userdomainname like "eu-southeast-1-aws.dep-no.cloud" or url like "eu-southeast-1-aws.dep-no.cloud" or userdomainname like "eu-north-1.s3-de.cloud" or url like "eu-north-1.s3-de.cloud" or userdomainname like "eu-central-2-aws.mil-be.cloud" or url like "eu-central-2-aws.mil-be.cloud" or userdomainname like "eu-south-2.mil-pl.cloud" or url like "eu-south-2.mil-pl.cloud" or userdomainname like "us-east-2.ua-sec.cloud" or url like "us-east-2.ua-sec.cloud" or userdomainname like "eu-south-2-aws.gov-pl.cloud" or url like "eu-south-2-aws.gov-pl.cloud" or userdomainname like "eu-southeast-1-aws.aws-ukraine.cloud" or url like "eu-southeast-1-aws.aws-ukraine.cloud" or userdomainname like "ap-northeast-1-aws.ukrainesec.cloud" or url like "ap-northeast-1-aws.ukrainesec.cloud" or userdomainname like "ca-west-1.ukrtelecom.cloud" or url like "ca-west-1.ukrtelecom.cloud" or userdomainname like "eu-north-1.mzv-sk.cloud" or url like "eu-north-1.mzv-sk.cloud" or userdomainname like "us-east-2-aws.ua-gov.cloud" or url like "us-east-2-aws.ua-gov.cloud" or userdomainname like "us-west-1-amazon.ua-sec.cloud" or url like "us-west-1-amazon.ua-sec.cloud" or userdomainname like "eu-west-2-aws.gov-sk.cloud" or url like "eu-west-2-aws.gov-sk.cloud" or userdomainname like "eu-west-3.mzv-sk.cloud" or url like "eu-west-3.mzv-sk.cloud" or userdomainname like "eu-west-3-aws.quirinale.cloud" or url like "eu-west-3-aws.quirinale.cloud" or userdomainname like "eu-west-1-aws.quirinale.cloud" or url like "eu-west-1-aws.quirinale.cloud" or userdomainname like "eu-central-1.s3-nato.cloud" or url like "eu-central-1.s3-nato.cloud" or userdomainname like "eu-south-2.mindef-nl.cloud" or url like "eu-south-2.mindef-nl.cloud" or userdomainname like "eu-west-3.s3-be.cloud" or url like "eu-west-3.s3-be.cloud" or userdomainname like "eu-south-2.ukrainesec.cloud" or url like "eu-south-2.ukrainesec.cloud"

    Detection Query 4

    userdomainname like "ca-west-1.aws-ukraine.cloud" or url like "ca-west-1.aws-ukraine.cloud" or userdomainname like "central-2-aws.ukrainesec.cloud" or url like "central-2-aws.ukrainesec.cloud" or userdomainname like "eu-central-1.mil-pl.cloud" or url like "eu-central-1.mil-pl.cloud" or userdomainname like "eu-central-1.minbuza.cloud" or url like "eu-central-1.minbuza.cloud" or userdomainname like "eu-central-1.s3-be.cloud" or url like "eu-central-1.s3-be.cloud" or  userdomainname like "eu-central-1.ukrtelecom.cloud" or url like "eu-central-1.ukrtelecom.cloud" or userdomainname like "eu-central-1-aws.amazonsolutions.cloud" or url like "eu-central-1-aws.amazonsolutions.cloud" or userdomainname like "eu-central-1-aws.mfa-gov.cloud" or url like "eu-central-1-aws.mfa-gov.cloud" or userdomainname like "eu-central-1-aws.ncfta.cloud" or url like "eu-central-1-aws.ncfta.cloud" or userdomainname like "eu-central-1-aws.presidencia-pt.cloud" or url like "eu-central-1-aws.presidencia-pt.cloud" or userdomainname like "eu-central-1-aws.ua-gov.cloud" or url like "eu-central-1-aws.ua-gov.cloud" or userdomainname like "eu-central-2-aws.gov-pl.cloud" or url like "eu-central-2-aws.gov-pl.cloud" or userdomainname like "eu-central-2-aws.gov-sk.cloud" or url like "eu-central-2-aws.gov-sk.cloud" or userdomainname like "eu-central-2-aws.mzv-sk.cloud" or url like "eu-central-2-aws.mzv-sk.cloud" or userdomainname like "eu-central-2-aws.ua-mil.cloud" or url like "eu-central-2-aws.ua-mil.cloud" or userdomainname like "eu-central-2-aws.ukrtelecom.cloud" or url like "eu-central-2-aws.ukrtelecom.cloud" or userdomainname like "eu-east-1-aws.mil-be.cloud" or url like "eu-east-1-aws.mil-be.cloud" or userdomainname like "eu-east-1-aws.mzv-sk.cloud" or url like "eu-east-1-aws.mzv-sk.cloud" or userdomainname like "eu-east-1-aws.quirinale.cloud" or url like "eu-east-1-aws.quirinale.cloud" or userdomainname like "eu-east-1-aws.ua-sec.cloud" or url like "eu-east-1-aws.ua-sec.cloud" or userdomainname like "eu-north-1.gv-at.cloud" or url like "eu-north-1.gv-at.cloud" or userdomainname like "eu-north-1.mil-be.cloud" or url like "eu-north-1.mil-be.cloud" or userdomainname like "eu-north-1.s3-be.cloud" or url like "eu-north-1.s3-be.cloud" or userdomainname like "eu-north-1-aws.gov-pl.cloud" or url like "eu-north-1-aws.gov-pl.cloud" or userdomainname like "eu-north-1-aws.gov-sk.cloud" or url like "eu-north-1-aws.gov-sk.cloud" or userdomainname like "eu-north-1-aws.presidencia-pt.cloud" or url like "eu-north-1-aws.presidencia-pt.cloud" or userdomainname like "eu-north-1-aws.ua-energy.cloud" or url like "eu-north-1-aws.ua-energy.cloud" or userdomainname like "eu-north-1-aws.ua-gov.cloud" or url like "eu-north-1-aws.ua-gov.cloud" or userdomainname like "eu-south-1-aws.gov-trust.cloud" or url like "eu-south-1-aws.gov-trust.cloud" or userdomainname like "eu-south-1-aws.quirinale.cloud" or url like "eu-south-1-aws.quirinale.cloud" or userdomainname like "eu-south-1-aws.s3-be.cloud" or url like "eu-south-1-aws.s3-be.cloud" or userdomainname like "eu-south-2.gov-sk.cloud" or url like "eu-south-2.gov-sk.cloud" or userdomainname like "eu-south-2.s3-de.cloud" or url like "eu-south-2.s3-de.cloud" or userdomainname like "eu-south-2.s3-esa.cloud" or url like "eu-south-2.s3-esa.cloud" or userdomainname like "eu-south-2-aws.dep-no.cloud" or url like "eu-south-2-aws.dep-no.cloud" or userdomainname like "eu-south-2-aws.mil-pl.cloud" or url like "eu-south-2-aws.mil-pl.cloud" or userdomainname like "eu-south-2-aws.mil-pt.cloud" or url like "eu-south-2-aws.mil-pt.cloud" or userdomainname like "eu-south-2-aws.quirinale.cloud" or url like "eu-south-2-aws.quirinale.cloud" or userdomainname like "eu-south-2-aws.s3-nato.cloud" or url like "eu-south-2-aws.s3-nato.cloud" or userdomainname like "eu-south-2-aws.s3-ua.cloud" or url like "eu-south-2-aws.s3-ua.cloud" or userdomainname like "eu-southeast-1-aws.difesa-it.cloud" or url like "eu-southeast-1-aws.difesa-it.cloud" or userdomainname like "eu-southeast-1-aws.mindef-nl.cloud" or url like "eu-southeast-1-aws.mindef-nl.cloud" or userdomainname like "eu-southeast-1-aws.msz-pl.cloud" or url like "eu-southeast-1-aws.msz-pl.cloud" or userdomainname like "eu-southeast-1-aws.s3-de.cloud" or url like "eu-southeast-1-aws.s3-de.cloud" or userdomainname like "eu-west-1.aws-ukraine.cloud" or url like "eu-west-1.aws-ukraine.cloud" or userdomainname like "eu-west-1.difesa-it.cloud" or url like "eu-west-1.difesa-it.cloud" or userdomainname like "eu-west-1.msz-pl.cloud" or url like "eu-west-1.msz-pl.cloud" or userdomainname like "eu-west-1.s3-ua.cloud" or url like "eu-west-1.s3-ua.cloud" or userdomainname like "eu-west-1-aws.dep-no.cloud" or url like "eu-west-1-aws.dep-no.cloud" or userdomainname like "eu-west-1-aws.gov-pl.cloud" or url like "eu-west-1-aws.gov-pl.cloud" or userdomainname like "eu-west-1-aws.mil-pl.cloud" or url like "eu-west-1-aws.mil-pl.cloud" or userdomainname like "eu-west-1-aws.s3-esa.cloud" or url like "eu-west-1-aws.s3-esa.cloud" or userdomainname like "eu-west-1-aws.s3-nato.cloud" or url like "eu-west-1-aws.s3-nato.cloud" or userdomainname like "eu-west-2-aws.difesa-it.cloud" or url like "eu-west-2-aws.difesa-it.cloud"  or userdomainname like "eu-west-2-aws.mil-pl.cloud" or url like "eu-west-2-aws.mil-pl.cloud" or userdomainname like "eu-west-2-aws.minbuza.cloud" or url like "eu-west-2-aws.minbuza.cloud" or userdomainname like "eu-west-2-aws.s3-be.cloud" or url like "eu-west-2-aws.s3-be.cloud" or userdomainname like "eu-west-2-aws.ua-sec.cloud" or url like "eu-west-2-aws.ua-sec.cloud" or userdomainname like "eu-west-3.amazonsolutions.cloud" or url like "eu-west-3.amazonsolutions.cloud" or userdomainname like "eu-west-3.mindef-nl.cloud" or url like "eu-west-3.mindef-nl.cloud" or userdomainname like "eu-west-3.s3-ua.cloud" or url like "eu-west-3.s3-ua.cloud" or userdomainname like "eu-west-3.ukrainesec.cloud" or url like "eu-west-3.ukrainesec.cloud" or userdomainname like "eu-west-3-aws.gov-pl.cloud" or url like "eu-west-3-aws.gov-pl.cloud" or userdomainname like "eu-west-3-aws.mil-pt.cloud" or url like "eu-west-3-aws.mil-pt.cloud" or userdomainname like "eu-west-3-aws.minbuza.cloud" or url like "eu-west-3-aws.minbuza.cloud" or userdomainname like "eu-west-3-aws.regeringskansliet-se.cloud" or url like "eu-west-3-aws.regeringskansliet-se.cloud" or userdomainname like "us-east-1-aws.s3-ua.cloud" or url like "us-east-1-aws.s3-ua.cloud" or userdomainname like "us-east-1-aws.ua-gov.cloud" or url like "us-east-1-aws.ua-gov.cloud" or userdomainname like "us-east-2.ukrainesec.cloud" or url like "us-east-2.ukrainesec.cloud" or userdomainname like "us-east-console.ua-energy.cloud" or url like "us-east-console.ua-energy.cloud" or userdomainname like "us-west-1.aws-ukraine.cloud" or url like "us-west-1.aws-ukraine.cloud" or userdomainname like "us-west-1-amazon.ua-mil.cloud" or url like "us-west-1-amazon.ua-mil.cloud" or userdomainname like "us-west-2.ua-sec.cloud" or url like "us-west-2.ua-sec.cloud" or userdomainname like "us-west-2-aws.mfa-gov.cloud" or url like "us-west-2-aws.mfa-gov.cloud"

    Detection Query 5

    from in ("sellar.co.uk","townoflakelure.com","totalconstruction.com.au","swpartners.com.au","cewalton.com") or to in ("sellar.co.uk","townoflakelure.com","totalconstruction.com.au","swpartners.com.au","cewalton.com") OR senderemail in ("sellar.co.uk","townoflakelure.com","totalconstruction.com.au","swpartners.com.au","cewalton.com") or receipientemail in ("sellar.co.uk","townoflakelure.com","totalconstruction.com.au","swpartners.com.au","cewalton.com")

    Detection Query 6

    (resourcename in ("Windows Security") AND eventtype = "4663") AND objectname IN ("AWS IAM Compliance Check.rdp","AWS IAM Configuration.rdp","AWS IAM Quick Start.rdp","AWS SDE Compliance Check.rdp","AWS SDE Environment Check.rdp","AWS SDE Environment Check.rdp","AWS Secure Data Exchange – Compliance Check.rdp","AWS Secure Data Exchange Compliance.rdp","Device Configuration Verification.rdp","Device Security Requirements Check.rdp","IAM Identity Center Access.rdp","IAM Identity Center Application Access.rdp","Zero Trust Architecture Configuration.rdp","Zero Trust Security Environment Compliance Check.rdp","ZTS Device Compatibility Test.rdp")

    Detection Query 7

    (technologygroup = "EDR") AND objectname IN ("AWS IAM Compliance Check.rdp","AWS IAM Configuration.rdp","AWS IAM Quick Start.rdp","AWS SDE Compliance Check.rdp","AWS SDE Environment Check.rdp","AWS SDE Environment Check.rdp","AWS Secure Data Exchange – Compliance Check.rdp","AWS Secure Data Exchange Compliance.rdp","Device Configuration Verification.rdp","Device Security Requirements Check.rdp","IAM Identity Center Access.rdp","IAM Identity Center Application Access.rdp","Zero Trust Architecture Configuration.rdp","Zero Trust Security Environment Compliance Check.rdp","ZTS Device Compatibility Test.rdp")

    Reference: 

    https://www.cisa.gov/news-events/alerts/2024/10/31/foreign-threat-actor-conducting-large-scale-spear-phishing-campaign-rdp-attachments 

    https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/


    Tags

    MalwareCISAPhishingAPTCyberEspionageRDP

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.