So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found. The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 { meta : description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets." author = "ferasdour" strings : $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery $s2 = "https://code.jquery...
