Skip to main content

Multiple requests to suspicious domains

ID:suspicious_domain_volume
Data type:DNS,HTTP
Severity:
Low
-
High
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected network traffic to a suspicious domain that may signal malicious activity. The domain exhibits characteristics commonly associated with cyber threats, including recent registration, poor reputation scores, brand spoofing patterns, or rare occurrence in legitimate traffic. This behavior could indicate spear phishing attempts, malware distribution, or command and control (C2) communications.

Impact

Traffic to a suspicious domain may indicate an ongoing attack. Adversaries set up domains online to capture credentials via phishing, distribute malware, and run C2 infrastructure to interact with infected hosts.

Severity

SeverityCondition
Low
Traffic to a suspicious domain
Medium
Beaconing to a suspicious domain
Medium
Multiple requests to suspicious domains
Medium
Traffic to a likely malicious domain
Medium
Traffic to a suspicious domain containing a brand name
High
Traffic to a young suspicious domain containing a brand name

Investigation and Remediation

Analyze the traffic patterns and identify affected systems. If malicious activity is confirmed, isolate the affected systems and block the suspicious domains. Conduct a thorough security assessment to identify and remove malware, and to identify potential data loss.

Known False Positives

  • Legitimate traffic to newly registered domains or less common websites