MikhailKasimov
commented
1 month ago Fixed in https://github.com/stamparm/maltrail/commit/042ccbf8f7455c8e88f450a8bda0459edecb9813
Thank you for reporting!
Closed MatthewShao closed 2 weeks ago
MikhailKasimov
commented
1 month ago Fixed in https://github.com/stamparm/maltrail/commit/042ccbf8f7455c8e88f450a8bda0459edecb9813
Thank you for reporting!
Describe the bug "admin-mcas.ms" was listed in https://github.com/stamparm/maltrail/blob/master/trails/static/malware/apt_transparenttribe.txt#L2151, this is a white domain owned by microsoft, reference: https://learn.microsoft.com/en-us/defender-cloud-apps/troubleshooting-proxy-url
IOC extraction logic has flaw when producing this domain, it was indiacode[.]nic[.]in[.]admin-mcas[.]ms in original post, so subdomain truncation is likely introduce false positive.
Fix I think it is better to remove the subdomain truncation when extracting domain from public post. e.g. we should only produce
instead of: