[nsp-sec] Pwned IMAP accounts searches.
Bevier, RuthAnne (RuthAnne)
ruthanne at caltech.edu
Sun Jul 25 20:53:23 EDT 2021
Thanks for this, Scott. Permission to share the search terms with our InfoSec team?
—RuthAnne
> On Jul 25, 2021, at 5:07 PM, Scott A. McIntyre <scott at howyagoin.net> wrote:
>
> ----------- nsp-security Confidential --------
>
> Hi all,
>
> If you work somewhere that provides email services, as I do, then you may also have seen a real rise in compromised IMAP accounts during the last year or so.
>
> One thing that I have noticed is that there seems to be a somewhat standardised tool being used by the interlopers -- once they gain access to an IMAP account, they will run through the same series of around 225 searches, looking for emails of interest.
>
> Attached is a list that has a few hundred of these most common search terms that we've seen.
>
> This same list, with only a few minor variations, seems to be being used repeatedly, so, clearly there's a kit out there...
>
> Thought it might be interesting for those of you trying to keep your email systems relatively intact.
>
> I've been using it to quickly identify compromised accounts and speed up remediation activities.
>
> Regards,
>
> Scott
>
> ---
> Scott A. McIntyre
> Chief Security Specialist
> Telstra Cyber Security
> abuse at telstra.com
> <searches.txt>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list