LoFP / legitimate use of ipfs being used in the organisation. however the cs-uri regex looking for a user email will likely negate this.

Techniques

• t1056

Sample rules

Suspicious Network Communication With IPFS

• source: sigma
• technicques:
  • t1056

Description

Detects connections to interplanetary file system (IPFS) containing a user’s email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Detection logic

condition: selection
selection:
  cs-uri|re: (?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+