Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
One of the main attacking vectors attackers use for credential theft and malware deployment are malicious link-based attacks leveraging impersonated websites or distributing malware. By studying malicious campaigns, defenders can learn attacker tactics and refine their defensive arsenal. They can also use suspicious URLs preemptively, updating deny lists and searching for any suspicious internal or perimetral activity.
VT Intelligence provides a powerful toolset for this mission and can be used to improve URL filtering in your firewalls. Now, we will dive into a series of VT queries progressively increasing their complexity, and dissect the added modifiers for each step. Feel free to experiment and refine these examples to build your own customized queries.
To begin, we will start by searching for URLs (“entity:url”) categorized as phishing according to the content category of its domain (“category:phishing”) or labeled as phishing by AntiVirus engines (“engines:phishing”). We will use the “p” modifier (“p” is short for “positives”, referring to the number of engines detections) to discard benign URLs. In this case, we want URLs with more than 15 detections to avoid false positives, however this is completely at your discretion. Finally, we will look for URLs first seen (“fs” as short for first submission) in the last 7 days (7d+).
The following query hunts new malicious URLs submitted to VirusTotal in the last 7 days distributing Microsoft document or PDF files (“tag:downloads-doc or tag:downloads-pdf”). We use the “p” modifier to search for URLs with a high number of detections (“p:15+”). Malicious URLs used for phishing are likely to distribute this kind of file
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from VirusTotal Blog
Read the original article: