Suspicious hosting provider traffic
Description
AlphaSOC detected traffic to a hosting provider fully-qualified domain name (FQDN) with suspicious properties. These properties can include a positive sandbox engine score (e.g., known malware samples associated with the FQDN according to VirusTotal), presence on a threat feed or blocklist, or poor reputation online.
Impact
Threat actors often exploit subdomains of reputable hosting providers, to create a false sense of legitimacy which can help evade detection. This can be used to host malicious content, exfiltrate data, or communicate with command and control (C2) servers.
Severity
Severity | Condition |
---|---|
Medium | Suspicious hosting provider traffic |
Investigation and Remediation
Analyze the traffic patterns and identify affected systems. If malicious activity is confirmed, isolate compromised endpoints and block communication with the malicious domain. Conduct a thorough security assessment to detect and remove any malware, and assess the extent of potential data loss.