← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
"don't save her" a continued message * CAPE Sandbox
WHITE msudosos 2026-05-22 Modified: 2026-05-24
715
IOCs
HIGH VOLUME
[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext
tablepostfixeesttbodyspandeliveredtobayesspamfromeqenvfromfromhasdnipreputationdatetitlefile typeascii textcrlf linesigmamitre attacknetwork infodropped infouse shortname pathwindows folderdefense evasionnextwednesdayjanuaryextra infoattack networkinfo droppedgeospatial endpoints
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (149 / 715 total)
All IPv4 CIDR FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname CVE
TYPEINDICATORDESCRIPTIONCREATED
URL http://4.0.0.0 2026-05-22
URL http://131.107.255.255 2026-05-22
URL http://3.0.0.0 2026-05-22
URL http://disallowedcertstl.cab?d6b7d3313329b2f5 2026-05-22
URL http://disallowedcertstl.cab?e46a9534e21e9765 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d6b7d3313329b2f5 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e46a9534e21e9765 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?e684f9a155ad4bc0 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?fd9e9c64ae1ef07c 2026-05-22
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D 2026-05-22
URL http://x1.c.lencr.org/ 2026-05-22
URL https://api.office.net 2026-05-22
URL https://hubblecontent.osi.office.net/ 2026-05-22
URL https://hubblecontent.osi.office.net/contentsvc/api/telemetry 2026-05-22
URL https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1 2026-05-22
URL https://hubblecontent.osi.office.net/contentsvc/microsofticon 2026-05-22
URL https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing 2026-05-22
URL https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt 2026-05-22
URL https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook 2026-05-22
URL https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr 2026-05-22
URL https://insertmedia.bing.office.net/odc/insertmedia 2026-05-22
URL https://o15.officeredir.microsoft.com/r 2026-05-22
URL https://ocsa.office.microsoft.com/client/15/help/clvupd 2026-05-22
URL https://ocsa.office.microsoft.com/client/15/help/template 2026-05-22
URL https://onedrive.live.com 2026-05-22
URL https://storage.live.com/clientlogs/uploadlocation 2026-05-22
URL https://support.microsoft.com/ems/clients/inapp 2026-05-22
URL https://support.office.microsoft.com/client/results 2026-05-22
URL https://word-edit.officeapps.live.com/we/rrdiscovery.ashx 2026-05-22
URL http://ipfs.io/ipfs/bafkreiejas2ld5v4cuqnrl6mh5wk7ptcosa4mkibjb3xs6dighwjz3xujq:selector] 2026-05-22
URL http://pinrulesstl.cab?e684f9a155ad4bc0 2026-05-22
URL http://pinrulesstl.cab?fd9e9c64ae1ef07c 2026-05-22
URL https://make.powerautomate.com 2026-05-22
URL https://my.microsoftpersonalcontent.com 2026-05-22
URL https://otelrules.svc.static.microsoft 2026-05-22
URL https://store.office.cn/addinstemplate 2026-05-22
URL http://weather.service.msn.com/data.aspx 2026-05-22
URL https://analysis.windows.net/powerbi/api 2026-05-22
URL https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech 2026-05-22
URL https://api.aadrm.com 2026-05-22
URL https://api.aadrm.com/ 2026-05-22
URL https://api.addins.omex.office.net/api/addins/search 2026-05-22
URL https://api.addins.omex.office.net/appinfo/query 2026-05-22
URL https://api.addins.store.officeppe.com/addinstemplate 2026-05-22
URL https://api.diagnosticssdf.office.com 2026-05-22
URL https://api.diagnosticssdf.office.com/v2/feedback 2026-05-22
URL https://api.microsoftstream.com/api/ 2026-05-22
URL https://api.powerbi.com/v1.0/myorg/groups 2026-05-22
URL https://apis.live.net/v5.0/ 2026-05-22
URL https://asgsmsproxyapi.azurewebsites.net/ 2026-05-22
URL https://augloop-dogfood.officeppe.com 2026-05-22
URL https://augloop-int.officeppe.com 2026-05-22
URL https://augloop.office.com 2026-05-22
URL https://autodiscover-s.outlook.com/ 2026-05-22
URL https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml 2026-05-22
URL https://clients.config.office.net/c2r/v1.0/DeltaAdvisory 2026-05-22
URL https://clients.config.office.net/user/v1.0/android/policies 2026-05-22
URL https://clients.config.office.net/user/v1.0/ios 2026-05-22
URL https://clients.config.office.net/user/v1.0/tenantassociationkey 2026-05-22
URL https://cloudfiles.onenote.com/upload.aspx 2026-05-22
URL https://consent.config.office.com/consentcheckin/v1.0/consents 2026-05-22
URL https://cortana.ai 2026-05-22
URL https://cr.office.com 2026-05-22
URL https://d.docs.live.net 2026-05-22
URL https://dataservice.o365filtering.com/ 2026-05-22
URL https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies 2026-05-22
URL https://designerapp.azurewebsites.net 2026-05-22
URL https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ 2026-05-22
URL https://dev0-api.acompli.net/autodetect 2026-05-22
URL https://edge.skype.com/registrar/prod 2026-05-22
URL https://edge.skype.com/rps 2026-05-22
URL https://entitlement.diagnostics.office.com 2026-05-22
URL https://entitlement.diagnosticssdf.office.com 2026-05-22
URL https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech 2026-05-22
URL https://globaldisco.crm.dynamics.com 2026-05-22
URL https://graph.ppe.windows.net 2026-05-22
URL https://graph.windows.net 2026-05-22
URL https://ic3.teams.office.com 2026-05-22
URL https://incidents.diagnostics.office.com 2026-05-22
URL https://incidents.diagnosticssdf.office.com 2026-05-22
URL https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive 2026-05-22
URL https://ipfs.io/ipfs/bafkreiejas2ld5v4cuqnrl6mh5wk7ptcosa4m= 2026-05-22
URL https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices 2026-05-22
URL https://login.microsoftonline.com/ 2026-05-22
URL https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize 2026-05-22
URL https://lookup.onenote.com/lookup/geolocation/v1 2026-05-22
URL https://management.azure.com 2026-05-22
URL https://messagebroker.mobile.m365.svc.cloud.microsoft 2026-05-22
URL https://messaging.engagement.office.com/ 2026-05-22
URL https://messaging.lifecycle.office.com/ 2026-05-22
URL https://mss.office.com 2026-05-22
URL https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech 2026-05-22
URL https://ofcrecsvcapi-int.azurewebsites.net/ 2026-05-22
URL https://officeci.azurewebsites.net/api/ 2026-05-22
URL https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks 2026-05-22
URL https://officepyservice.office.net/service.functionality 2026-05-22
URL https://officesetup.getmicrosoftkey.com 2026-05-22
URL https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false 2026-05-22
URL https://outlook.office.com/autosuggest/api/v1/init?cvid= 2026-05-22
URL https://outlook.office365.com 2026-05-22
URL https://outlook.office365.com/api/v1.0/me/Activities 2026-05-22
URL https://outlook.office365.com/autodiscover/autodiscover.json 2026-05-22
URL https://outlook.office365.com/connectors 2026-05-22
URL https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json 2026-05-22
URL https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json 2026-05-22
URL https://portal.office.com/account/?ref=ClientMeControl 2026-05-22
URL https://powerlift-frontdesk.acompli.net 2026-05-22
URL https://powerlift.acompli.net 2026-05-22
URL https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios 2026-05-22
URL https://prod-global-autodetect.acompli.net/autodetect 2026-05-22
URL https://pushchannel.1drv.ms 2026-05-22
URL https://res.getmicrosoftkey.com/api/redemptionevents 2026-05-22
URL https://rpsticket.partnerservices.getmicrosoftkey.com 2026-05-22
URL https://safelinks.protection.outlook.com/api/GetPolicy 2026-05-22
URL https://shell.suite.office.com:1443 2026-05-22
URL https://sr.outlook.office.net/ws/speech/recognize/assistant/work 2026-05-22
URL https://substrate.office.com 2026-05-22
URL https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile 2026-05-22
URL https://tasks.office.com 2026-05-22
URL https://templatesmetadata.office.net/ 2026-05-22
URL https://useraudit.o365auditrealtimeingestion.manage.office.com 2026-05-22
URL https://web.microsoftstream.com/video/ 2026-05-22
URL https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ 2026-05-22
URL https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios 2026-05-22
URL https://www.odwebp.svc.ms 2026-05-22
URL https://www.yammer.com 2026-05-22
URL https://syncservice.o365syncservice.com/ 2026-05-22
URL https://notification.m365.svc.cloud.microsoft/ 2026-05-22
URL https://notification.m365.svc.cloud.microsoft/PushNotifications.Register 2026-05-22
URL https://planner.cloud.microsoft 2026-05-22
URL https://storage.azure.com/ 2026-05-22
URL http://183.0.0.0 2026-05-22
URL http://183.255.255.255 2026-05-22
URL http://183.81.169.0 2026-05-22
URL http://183.81.169.255 2026-05-22
URL http://wq.apnic.net/apnic-bin/whois.pl 2026-05-22
URL http://wq.apnic.net/whois-search/static/search.html 2026-05-22
URL http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming 2026-05-22
URL https://rdap.arin.net/registry/entity/APNIC 2026-05-22
URL https://rdap.arin.net/registry/entity/AWC12-ARIN 2026-05-22
URL http://183.0.0.0 2026-05-22
URL http://183.255.255.255 2026-05-22
URL http://183.81.169.0 2026-05-22
URL http://183.81.169.255 2026-05-22
URL http://wq.apnic.net/apnic-bin/whois.pl 2026-05-22
URL http://wq.apnic.net/whois-search/static/search.html 2026-05-22
URL http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming 2026-05-22
URL https://rdap.arin.net/registry/entity/APNIC 2026-05-22
URL https://rdap.arin.net/registry/entity/AWC12-ARIN 2026-05-22
References (3)
↗ https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q ↗ https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8 ↗ https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd