Rules Contributing to Phishing Domain with File Extension TLD

The following rules are used to identify DNS queries to TLDs that resemble file extensions. Any one or more of these will trigger the Phishing Domain with File Extension TLD Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Phishing Domain with File Extension TLD

DNS query to TLDs that resemble file extensions. Attackers may use these TLDs for phishing.

More details

Rule ID

dns_2

Query

{'selection_domain': {'DnsQuestionName|endswith': ['.zip', '.mov']}, 'condition': 'selection_domain'}

Log Source

Stellar Cyber Network Events configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

INITIAL_ACCESS, T1566

References

Severity

Suppression Logic Based On

srcip
dns.question.name
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2024/05/15	low	Legit domains with .zip or .mov TLDs. These new TLDs are rarely seen in common websites.