{ "type": "Domain", "indicator": "data-logistics.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/data-logistics.com", "alexa": "http://www.alexa.com/siteinfo/data-logistics.com", "indicator": "data-logistics.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3332840881, "indicator": "data-logistics.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69307a4a316b3f36d7ee486e", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-03T17:58:34.643000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "692e9c914ced34fd3e8f7f87", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 386495, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ef83067685aa837268c69", "name": "Adversaries Leverage Evilginx to Bypass MFA via Advanced SSO Phishing", "description": "The list of Evilginx phishing proxy URLs has grown to 1.8 billion - that is, at least, the most accurate estimate of the number of people affected by the virus or infection.", "modified": "2026-01-13T17:02:50.953000", "created": "2025-12-14T17:47:28.253000", "tags": [ "domain", "evilginx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692e9c914ced34fd3e8f7f87", "name": "IOC - DNS Uncovers Infrastructure Used in SSO Attacks", "description": "We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T08:00:17.266000", "tags": [ "evilginx", "domain", "ipv4 dedicated", "ip address" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6936555c0863e6cdda48af39", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-08T04:34:36.222000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "69307a4a316b3f36d7ee486e", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6937a60ed12db3a87b389848", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-09T04:31:10.042000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "69307a4a316b3f36d7ee486e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6937ccf0bcd1707a6fcd72ec", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-09T07:17:04.381000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "69307a4a316b3f36d7ee486e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Evilginx" ], "industries": [ "Education" ] }, "other": { "adversary": [ "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex" ], "malware_families": [ "Evilginx" ], "industries": [ "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69307a4a316b3f36d7ee486e", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-03T17:58:34.643000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "692e9c914ced34fd3e8f7f87", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 386495, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ef83067685aa837268c69", "name": "Adversaries Leverage Evilginx to Bypass MFA via Advanced SSO Phishing", "description": "The list of Evilginx phishing proxy URLs has grown to 1.8 billion - that is, at least, the most accurate estimate of the number of people affected by the virus or infection.", "modified": "2026-01-13T17:02:50.953000", "created": "2025-12-14T17:47:28.253000", "tags": [ "domain", "evilginx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692e9c914ced34fd3e8f7f87", "name": "IOC - DNS Uncovers Infrastructure Used in SSO Attacks", "description": "We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T08:00:17.266000", "tags": [ "evilginx", "domain", "ipv4 dedicated", "ip address" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6936555c0863e6cdda48af39", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-08T04:34:36.222000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "69307a4a316b3f36d7ee486e", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6937a60ed12db3a87b389848", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-09T04:31:10.042000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "69307a4a316b3f36d7ee486e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6937ccf0bcd1707a6fcd72ec", "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-09T07:17:04.381000", "tags": [ "evilginx", "aitm", "tinyurl", "mitm", "sso", "reverse proxy", "phishing" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Evilginx", "display_name": "Evilginx", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": "69307a4a316b3f36d7ee486e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "data-logistics.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "data-logistics.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214286.8637214 }