← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra
WHITE AlienVault 2022-02-04 Modified: 2024-03-15
62
IOCs
HIGH VOLUME
In December 2021, through its Network Security Monitoring service, Volexity identified a series of targeted spear-phishing campaigns against one of its customers from a threat actor it tracks as TEMP_Heretic. Analysis of the emails from these spear phishing campaigns led to a discovery: the attacker was attempting to exploit a zero-day cross-site scripting (XSS) vulnerability in the Zimbra email platform. Zimbra is an open source email platform often used by organizations as an alternative to Microsoft Exchange.
zimbrajavascriptXSSphishingTEMP_Hereticzero-day
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (62)
All domain hostname
TYPEINDICATORDESCRIPTIONCREATED
domain amazon-check.cf 2022-02-04
domain amazon-check.ga 2022-02-04
domain amazon-check.gq 2022-02-04
domain amazon-check.tk 2022-02-04
domain amazon-team.tk 2022-02-04
domain bitlaunch.io 2022-02-04
domain bruising-intellect.ml 2022-02-04
domain findtruth.ml 2022-02-04
domain iceywindflow.cf 2022-02-04
domain iceywindflow.gq 2022-02-04
domain iceywindflow.ml 2022-02-04
domain news-online.ml 2022-02-04
domain news-voice.ml 2022-02-04
domain newsonline.gq 2022-02-04
domain playquicksand.cf 2022-02-04
domain playquicksand.gq 2022-02-04
domain playquicksand.ml 2022-02-04
domain playquicksand.tk 2022-02-04
domain secretstep.tk 2022-02-04
domain spiritfield.cf 2022-02-04
domain spiritfield.ga 2022-02-04
domain spiritfield.ml 2022-02-04
domain spiritfield.tk 2022-02-04
domain spiritx.ga 2022-02-04
domain thunderchannel.cf 2022-02-04
domain thunderchannel.tk 2022-02-04
domain windsoft.cf 2022-02-04
domain yahoo-corporation.ml 2022-02-04
domain yahoo-corporation.tk 2022-02-04
hostname chargedboltsentry.spiritfield.tk 2022-02-04
hostname claygolem.spiritfield.ga 2022-02-04
hostname feralrage.spiritfield.ga 2022-02-04
hostname fireclaws.spiritfield.ga 2022-02-04
hostname flameshock.spiritfield.tk 2022-02-04
hostname mail.bruising-intellect.ml 2022-02-04
hostname mx.newsonline.gq 2022-02-04
hostname oaksage.spiritfield.ga 2022-02-04
hostname opticaleel.iceywindflow.cf 2022-02-04
hostname shadowmaster.iceywindflow.ml 2022-02-04
hostname shadownight.playquicksand.tk 2022-02-04
hostname shadownight.spiritfield.ga 2022-02-04
hostname support.newsonline.gq 2022-02-04
hostname tigerstrike.iceywindflow.ml 2022-02-04
hostname update.secretstep.tk 2022-02-04
hostname winderosion.spiritfield.ml 2022-02-04
hostname windsource.thunderchannel.cf 2022-02-04
hostname windsource.thunderchannel.tk 2022-02-04
hostname www.amazon-check.ga 2022-02-04
hostname www.findtruth.ml 2022-02-04
hostname www.iceywindflow.gq 2022-02-04
hostname www.news-online.ml 2022-02-04
hostname www.news-voice.ml 2022-02-04
hostname www.newsonline.gq 2022-02-04
hostname www.playquicksand.cf 2022-02-04
hostname www.playquicksand.gq 2022-02-04
hostname www.spiritfield.ga 2022-02-04
hostname www.spiritx.ga 2022-02-04
hostname www.thunderchannel.cf 2022-02-04
hostname www.thunderchannel.tk 2022-02-04
hostname www.windsoft.cf 2022-02-04
hostname www.yahoo-corporation.ml 2022-02-04
hostname yahoo-movie.spiritx.ga 2022-02-04
References (1)
↗ https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/