Traffic from multiple sources to a domain impersonating a known brand
Description
AlphaSOC detected network traffic to a domain that appears to impersonate a known brand. This is a common tactic used by threat actors to conduct phishing campaigns or other malicious activities. Adversaries create domains closely resembling fully-qualified domain names (FQDNs) to deceive users into thinking they are interacting with a legitimate website.
Impact
Traffic to brand-impersonating domains can lead to security breaches. Users may unknowingly submit sensitive information, including login credentials or financial data, to malicious actors. This can result in unauthorized access to corporate systems, data theft, financial fraud, or serve as an entry point for further attacks such as malware deployment or ransomware infections.
Severity
Severity | Condition |
---|---|
Low | Traffic to a valid domain impersonating a known brand |
Medium | Traffic to a young domain impersonating a known brand |
High | Traffic to a suspicious domain impersonating a known brand |
High | Traffic from multiple sources |
Critical | Traffic to a suspicious young domain impersonating a known brand |
Investigation and Remediation
Investigate the specific domain in question and compare it to the legitimate brand's domain. Analyze the traffic patterns, including the users or systems that accessed the domain. If malicious intent is confirmed, block the domain at the network level.