Traffic from multiple sources to a unique young domain
Description
AlphaSOC detected network traffic to a unique, recently registered domain. Newly registered domains are frequently used in spearphishing campaigns to evade detection.
Impact
Traffic to a suspicious new domain from multiple sources may indicate that a threat actor is attempting to infiltrate the network. Techniques such as spearphishing with malicious attachments are often used by threat actors to gain initial access to victim's system.
Severity
Severity | Condition |
---|---|
Medium | Traffic from multiple sources to a unique young domain |
Investigation and Remediation
Investigate the affected systems. If malicious activity is confirmed, isolate affected systems, terminate unauthorized connections, and perform a thorough forensic analysis. To prevent future occurrences, update DNS monitoring and filtering mechanisms to detect and block traffic to known malicious domains.
Known False Positives
- Legitimate but rarely used applications or services
- Users accessing niche websites
- New software or services not yet widely adopted within the organization