Pulse Detail — Threat Intelligence

PULSE NAME

Phishing Targeting Protonmail users

WHITE AlienVault 2019-07-25 Modified: 2019-08-01

IOCs

MEDIUM VOLUME

On July 24th, Bellingcat shared a phishing email from July 23rd that unsuccessfully targeted Christo Grozev, a Bellingcat contributor who focuses on Russia-related security threats and weaponization of information.

bellingcat russia

Indicators of Compromise (21)

All domain URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	protonmail.direct	—	2019-07-25
domain	mailprotonmail.ch	—	2019-07-25
domain	mailprotonmail.com	—	2019-07-25
domain	protonmail.systems	—	2019-07-25
domain	prtn.xyz	—	2019-07-25
URL	http://mail.protonmail.sh	—	2019-07-25
hostname	user.protonmail.support	—	2019-07-25
hostname	my.secure-protonmail.com	—	2019-07-25
URL	http://prtn.app/	—	2019-07-29
URL	http://protonmail.team/	—	2019-07-29
URL	http://mailprotonmail.com/	—	2019-07-29
hostname	www.mailprotonmail.ch	—	2019-07-29
domain	mailprotonmail.co	—	2019-07-29
domain	protonmail.gmbh	—	2019-07-29
domain	prtn.app	—	2019-07-29
domain	prtn.email	—	2019-07-29
domain	protonmail.team	—	2019-07-29
URL	http://protonmail.sh	—	2019-07-29
domain	protonmail.earth	—	2019-08-01
domain	secure-protonmail.com	—	2019-08-01
domain	protonmail.support	—	2019-08-01

References (4)

↗ https://twitter.com/christogrozev/status/1153930487037140992 ↗ https://threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/ ↗ https://protonmail.com/blog/bellingcat-cyberattack-phishing/ ↗ https://www.riskiq.com/blog/labs/bellingcat-phishing/