EXPLORE
Sign In
← Back to Explore
sublimeExclusion

HoxHunt phishing simulation

Identifies phishing simulations sent by HoxHunt and excludes the message from live analysis.

Detection Query

type.inbound
and (
  any(headers.hops, strings.ends_with(.signature.domain, ".hoxhuntsigning.com"))
  or any(headers.ips,
            .ip in ("35.156.0.138", "37.139.12.94")
            or regex.match(.ip,
                            '193\.3\.183\.(?:[0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])$'
            )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "HoxHunt phishing simulation"
description: "Identifies phishing simulations sent by HoxHunt and excludes the message from live analysis."
type: "exclusion"
source: |
  type.inbound
  and (
    any(headers.hops, strings.ends_with(.signature.domain, ".hoxhuntsigning.com"))
    or any(headers.ips,
              .ip in ("35.156.0.138", "37.139.12.94")
              or regex.match(.ip,
                              '193\.3\.183\.(?:[0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])$'
              )
    )
  )