Coronavirus Phishing Threats are Continuously
Keep Calm. Don’t Click.
Whenever there’s a major disaster, phishing emails follow. Phishers play on human emotions like fear and urgency, which today are spreading as fast as the Coronavirus itself. Themed Coronavirus phishing emails can simply ask the recipient to download an attachment or click a link to view the latest statistics on Covid-19. Accurate information can protect your users and organization from current and future Coronavirus phishing threats.
How to Find a Coronavirus Phishing Email
Download our infographic to share the 5 signs of a Coronavirus phish, plus check our blog and news feed on Coronavirus misinformation. To view our repository of Coronavirus Phishing Yara Rules, visit our GitHub.
For authoritative information on the Coronavirus, visit the World Health Organization and the Centers for Disease Control.
Cofense recommends organizations avoid using these themes in phishing simulation campaigns. Security Awareness teams and incident responders should instead focus on communicating what to look for in phishing emails, as well as basic security measures while working from home.
Helpful Coronavirus Phishing Resources
Download Infographic | Read the Blogs | View the Webinar | Listen to the Podcast | Use the Yara Rule
Coronavirus phishing email threats are continuously evading secure email gateways.
Reported by Cofense End Users and Automatically Analyzed and Quarantined by Cofense Triage and Vision.
Coronavirus Phishing Yara Rules
Cofense is sharing these Yara rules publicly, for all. These rules consist of major and actionable indicators and keywords that Cofense has identified for phishing emails and related malware that are leveraging the Coronavirus or Covid-19 theme in phishing attacks. This data comes from Cofense’s Intelligence team, proprietary data collection sources, and the Cofense Phishing Defense Center.
Cofense Triage and Cofense Intelligence customers already have access to these rules. We will update the rules frequently to reflect changes in the phishing landscape.
rule CofenseIntel_CoronavirusPhishing_Indicators {
meta:
copyright = "/* (c) 2020 Cofense Inc. available at https://cofense.com/solutions/topic/coronavirus-infocenter/ */"
commercial_usage = "Requests to incorporate this Yara rule, in whole or in part, in commercial applications should be directed to [email protected]"
non_commercial_usage = "This yara rule is offered pursuant to the Attribution-NonCommercial-NoDerivatives 4.0 International license, available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode."
description = "This yara rule consists of major and actionable indicators that Cofense has identified for phishing emails and related malware that are leveraging the CoronaVirus or Covid-19 theme. This data comes from Cofense's Intelligence team, proprietary data collection sources, and the Cofense Phishing Defense Center. This yara rule should be considered a living rule, and will be updated periodically with new and additional indicators as they are identified and validated by the Cofense Intelligence Team."
author = "Cofense Intelligence, Cofense Labs"
version = "42"
known_variants_covered = "155"
date_created = "17Mar2020"
last_updated = "03Jun2020"
change_log_17Mar2020 = "initial rule creation"
change_log_19Mar2020 = "added: 4 email addresses, 8 file names, 5 urls, 7 subject lines"
change_log_20Mar2020 = "added: 7 urls, 4 filenames, 5 subject lines"
change_log_23Mar2020 = "added: 1 url, 6 filenames, 4 subject lines"
change_log_24Mar2020 = "added: 6 urls, 3 filenames, 3 subject lines"
change_log_25Mar2020 = "added: 2 email addresses, 29 urls, 5 filenames, 5 subject lines"
change_log_27Mar2020 = "added: 7 urls"
change_log_30Mar2020 = "added: 1 email address, 5 urls, 7 filenames, 7 subject lines"
change_log_31Mar2020 = "added: 18 urls, 5 filenames, 5 subject lines"
change_log_01Apr2020 = "added: 1 email address, 4 urls, 5 filenames, 2 subject lines"
change_log_02Apr2020 = "added: 9 urls, 4 filenames, 6 subject lines"
change_log_03Apr2020 = "added: 7 urls, 7 filenames, 1 subject lines"
change_log_06Apr2020 = "added: 2 urls, 2 filenames, 4 subject lines"
change_log_07Apr2020 = "added: 5 urls"
change_log_08Apr2020 = "added: 1 email address, 3 filenames, 1 subject line"
change_log_09Apr2020 = "added: 1 email address, 1 url, 4 filenames, 1 subject line"
change_log_10Apr2020 = "added: 4 email address, 3 urls, 9 filenames, 3 subject lines"
change_log_13Apr2020 = "added: 6 urls, 1 filenames, 2 subject lines"
change_log_14Apr2020 = "added: 92 urls, 7 filenames, 5 subject lines"
change_log_15Apr2020 = "added: 3 urls, 2 filenames"
change_log_16Apr2020 = "added: 2 email addresses, 2 urls, 3 filenames, 2 subject lines"
change_log_17Apr2020 = "added: 1 email address, 3 urls, 2 filenames, 1 subject lines"
change_log_20Apr2020 = "added: 17 urls, 5 filenames, 2 subject lines"
change_log_21Apr2020 = "added: 1 url, 3 filenames, 3 subject lines"
change_log_22Apr2020 = "added: 2 email addresses, 8 urls, 3 subject lines"
change_log_24Apr2020 = "added: 1 email address, 2 filenames, 4 urls, 2 subject lines"
change_log_27Apr2020 = "added: 3 email addresses, 1 filename, 37 urls"
change_log_29Apr2020 = "added: 2 email addresses, 2 filenames"
change_log_30Apr2020 = "added: 4 urls, 3 filenames, 1 subject line"
change_log_01May2020 = "added: 1 email address, 3 urls, 2 subject lines"
change_log_04May2020 = "added: 4 filenames, 9 urls"
change_log_05May2020 = "added: 1 subject line, 2 filenames, 9 urls"
change_log_06May2020 = "added: 3 subject lines, 1 filename, 7 urls"
change_log_07May2020 = "added: 2 subject lines, 1 filename, 6 urls"
change_log_08May2020 = "added: 1 email address, 2 subject lines, 4 filenames, 2 urls"
change_log_12May2020 = "added: 1 domain, 4 subject lines, 1 filename, 12 urls"
change_log_13May2020 = "added: 1 subject line, 3 filenames, 4 urls"
change_log_19May2020 = "added: 1 email address, 2 subject lines, 7 urls"
change_log_22May2020 = "added: 2 subject lines, 3 filenames, 8 urls"
change_log_26May2020 = "added: 1 email address, 3 subject lines, 2 filenames, 5 urls"
change_log_02Jun2020 = "added: 2 email addresses, 2 subject lines, 5 filenames, 4 urls"
change_log_03Jun2020 = "added: 2 subject lines, 5 filenames, 2 urls"
strings:
$domain1="cornerload.dynu.net" nocase
$domain2="seasons444.ddns.net" nocase
$domain3="seasonsnonaco.ddnsking.com" nocase
$domain4="ouluok.hereag.xyz" nocase
$email1="[email protected]" nocase
$email2="[email protected]" nocase
$email3="[email protected]" nocase
$email4="[email protected]" nocase
$email5="[email protected]" nocase
$email6="[email protected]" nocase
$email7="[email protected]" nocase
$email8="[email protected]" nocase
$email9="[email protected]" nocase
$email10="[email protected]" nocase
$email11="[email protected]" nocase
$email12="[email protected]" nocase
$email13="[email protected]" nocase
$email14="[email protected]" nocase
$email15="[email protected]" nocase
$email16="[email protected]" nocase
$email17="[email protected]" nocase
$email18="[email protected]" nocase
$email19="[email protected]" nocase
$email20="[email protected]" nocase
$email21="[email protected]" nocase
$email22="[email protected]" nocase
$email23="[email protected]" nocase
$email24="[email protected]" nocase
$email25="[email protected]" nocase
$email26="[email protected]" nocase
$email27="[email protected]" nocase
$email28="[email protected]" nocase
$email29="[email protected]" nocase
$email30="[email protected]" nocase
$email31="[email protected]" nocase
$email132="[email protected]" nocase
$email133="[email protected]" nocase
$url1="https://site-inspection.com/.well-known/acme-challenge/w.php/9SG2m697HN" nocase
$url2="http://onlinepreneur.id/manager/brain.exe" nocase
$url3="http://onlinepreneur.id/license/love.exe" nocase
$url4="https://notmsg.smvm.xyz/" nocase
$url5="https://toyswithpizzazz.com.au/service/coronavirus/" nocase
$url6="https://southhillspros.com/Rovince/Jelink.html" nocase
$url7="https://wusameetings.tk/boding/Jelink.html" nocase
$url8="https://southhillspros.com/citrix/Ward/broward.php" nocase
$url9="https://jetluxinc396.sharepoint.com/:b:/g/ERt-r1ZM6PRGhKdxb6bfZSIBcOX2b0y8snN4fg8f7z22rA" nocase
$url10="https://southhillspros.com/citrix/Ward/broward.htm" nocase
$url11="https://www.scholarcave.com/owa/owa.php" nocase
$url12="http://www.dogogiaphat.com/ecdc.php" nocase
$url13="https://takemorilaw.com/wp-content/micro-update-1-2/" nocase
$url14="http://my.pcloud.com/publink/show?code=XZO5BWkZjc6l5EBCtnkTYqw2DHqzEBT4LAay" nocase
$url15="https://www.schooluniformtrading.com.au/cdcgov/files/" nocase
$url16="https://gocycle.com.au/cdcgov/files/" nocase
$url17="https://onthefx.com/cd.php" nocase
$url18="https://urbanandruraldesign.com.au/cdcgov/files/" nocase
$url19="https://healing-yui223.com/cd.php" nocase
$url20="https://www.brightparcel.com/corona/owa.php" nocase
$url21="https://noithatgoocchoav.com/cd.php" nocase
$url22="http://euromopy.tech/etty/black/download/fre.php" nocase
$url23="https://drive.google.com/uc?export=download&id=1V8530tZ-SNHELlaVL4BMQpJrRU2DBPSL" nocase
$url24="http://bit.ly/2TpOpNS" nocase
$url25="http://edirneli.net/tr/logo.gif" nocase
$url26="http://185.244.30.4:6669" nocase
$url27="http://sevgikresi.net/logof.gif" nocase
$url28="http://natufarma.net/imagens/logof.gif" nocase
$url29="http://emrahkucukkapdan.com/img/button.gif" nocase
$url30="https://pastebin.com/raw/vnPLhhBH" nocase
$url31="http://autocarsalonmobil.com/wp-content/uploads/Internetsonline.txt" nocase
$url32="http://hidroservbistrita.ro/images/logo.gif" nocase
$url33="http://krupoonsak.com/logo.gif" nocase
$url34="http://snsoft.host-ed.me/images/logos.gif" nocase
$url35="http://gardapalace.it/logo.gif" nocase
$url36="http://mabdesign.unlugar.com/button.gif" nocase
$url37="http://nlcfoundation.org/images/xs.jpg" nocase
$url38="http://glamfromeast.com/image/logo.gif" nocase
$url39="http://datalinksol.com/logo.gif" nocase
$url40="http://babystophouse.com/images/logo.gif" nocase
$url41="http://68.168.222.206/logos.gif" nocase
$url42="https://185.216.35.10/3/L2KSUN.php" nocase
$url43="http://uzoclouds.eu/dutchz/dutchz.exe" nocase
$url44="http://posqit.net/TT/50590113.exe" nocase
$url45="http://bitly.ws/83FN" nocase
$url46="https://marsdefenseandscience.com/reports.zip" nocase
$url47="https://eabi7yab.appspot.com/app.php" nocase
$url48="https://eabi7yab.appspot.com/" nocase
$url49="https://sway.office.com/ggKC030OqLgA59rj?ref=Link" nocase
$url50="http://tidy-saiki-6718.deci.jp/MIY/MLY.exe" nocase
$url51="http://academydea.com/alhaji/Panel/five/fre.php" nocase
$url52="https://saltcitymktg.com/ssl/?0@=" nocase
$url53="http://tonpr.esy.es/http/Office/SSL/Login/cmd-login=" nocase
$url54="http://192.3.31.212/TickCountnrKDyhvMKK.exe" nocase
$url55="http://posqit.net/GE/5091203.jpg" nocase
$url56="http://bit.ly/2J9KXAM" nocase
$url57="https://www.hb-bonusclaim.com/hotelier/bonuses/vlar/oie/qwol/Sign_In_password.php" nocase
$url58="https://www.hb-bonusclaim.com/hotelier/bonuses/vlar/oie/qwol" nocase
$url59="https://goldenlion.sg/blacky2/hQFMCdSYQ81nUlp.exe" nocase
$url60="https://netorgft6251601-my.sharepoint.com/personal/remote_enrollopen_com/_layouts/15/" nocase
$url61="https://bluemediappc.ru/cxsw/?activity=4789652" nocase
$url62="https://coronasdeflores.cl/who/" nocase
$url63="https://coronasdeflores.cl/who/files/" nocase
$url64="https://ee-cop.co.uk/who/" nocase
$url65="https://ee-cop.co.uk/who/files/" nocase
$url66="https://ee-cop.co.uk/who/files/3b9f575dac9cc432873f6165c9bed507.php" nocase
$url67="https://heinrichgrp.com/who" nocase
$url68="https://heinrichgrp.com/who/files/" nocase
$url69="https://heinrichgrp.com/who/files/af1fd55c21fdb935bd71ead7acc353d7.php" nocase
$url70="https://mykipay.com/who/" nocase
$url71="https://mykipay.com/who/files/" nocase
$url72="https://o.splashmath.com/ls/click?upn=H2FOwAYY7ZayaWl4grkl1LazPuy6jduhWjWPwf0O2D" nocase
$url73="https://o.splashmath.com/ls/click?upn=msxJtQrcMkxf-2FHgHZWqFOpZY87uOjW56A4EtZK629w" nocase
$url74="https://o.splashmath.com/ls/click?upn=YtJZYRNKQgIuqGqUou2Wawk1LrccW6qSlY" nocase
$url75="https://pharmadrugdirect.com/who/" nocase
$url76="https://pharmadrugdirect.com/who/files/" nocase
$url77="https://url885.whoint.us/ls/click?upn=" nocase
$url78="https://www.bangkukuliah.com/who/" nocase
$url79="https://www.bangkukuliah.com/who/files/" nocase
$url80="https://www.enciety.co/who/" nocase
$url81="https://www.enciety.co/who/files/" nocase
$url82="https://www.whtextiles.com.pk/who/files/" nocase
$url83="https://www.whtextiles.com.pk/who/" nocase
$url84="https://www.frufc.net/who/files/61fe6624ec1fcc7cac629546fc9f25c3.php" nocase
$url85="https://www.frufc.net/who/files/" nocase
$url86="https://www.frufc.net/who/" nocase
$url87="https://goldenlion.sg/blacky2/QcxbDp400Ajfdiy.exe" nocase
$url88="http://mecharnise.ir/ca17/ca17.exe" nocase
$url89="https://jstforyou.com/agenda.zip" nocase
$url90="https://sway.office.com/UFXILme8nBQCIZzj?ref=Link" nocase
$url91="https://gboexprodutos.com.br/Scb/file/office/index.php" nocase
$url92="https://gboexprodutos.com.br/Scb/file/invoice.php" nocase
$url93="https://pec-india.com/COVID19/file/office/login.php" nocase
$url94="https://sway.office.com/1y5EtcvtDkyFBKm6?ref=Link" nocase
$url95="https://pec-india.com/COVID19/file/invoice.php" nocase
$url96="https://pec-india.com/COVID19/file/office/index.php" nocase
$url97="https://drive.google.com/uc?export=download&id=169KtCYiDPkOQGQaPD_OFZaRgk0fdF988" nocase
$url98="http://old-tosu-9221.verse.jp/Img/CIC.exe" nocase
$url99="http://t.info.samsungusa.com/r/?id=hesy2fd4,77c0c34,339a477f&p1=project0980870.blob.core.windows.net/ronaupdate0987654/Ap3dX.html" nocase
$url100="https://transtman.blob.core.windows.net/activemansmile/117-Crl.html" nocase
$url101="http://www.tanikawashuntaro.com//cgi-bin//g46445/9876778.php" nocase
$url102="https://christianfamilyradio.buzz/ardelishealth/0221/login.php" nocase
$url103="https://ustria11.blob.core.windows.net/secureffiles/notes.htm" nocase
$url104="https://christianfamilyradio.buzz/ardelishealth/0221/need1.php" nocase
$url105="https://christianfamilyradio.buzz/ardelishealth/0221/surf2.php" nocase
$url106="https://christianfamilyradio.buzz/ardelishealth/0221/surf3.php" nocase
$url107="https://buckazure1note-verinum.com/officeauth/index.php" nocase
$url108="https://buckazure1note-verinum.com/officeauth/submit.php" nocase
$url109="https://buckazure1note-verinum.com/officeauth/8c2w3sf10xmlm372ffltzzs3.php" nocase
$url110="https://buckazure1note-verinum.com/officeauth/enterpassword.php" nocase
$url111="https://buckazure1note-verinum.com/" nocase
$url112="https://ydray.com/get/l/EO15856384497878/r5BuHyWZwSC" nocase
$url113="http://jamestradingadmin.com/kun.php" nocase
$url114="https://st1.ydray.com/YDRAY-Payment-Proof.zip" nocase
$url115="https://nellyreifler.com/covid-19/" nocase
$url116="https://laylaraephoto.com/covid-19/login.html" nocase
$url117="https://puhsd210-my.sharepoint.com/:o:/g/personal/tena_phoenixunion_org/Epz8UXFcrHdHhs6heoRlU0sBcnom2zsvM4iSqus0DcccpA" nocase
$url118="https://nellyreifler.com/covid-19/step2.php" nocase
$url119="http://tokai-lm.jp/style/89887cc/5789n.php" nocase
$url120="https://hypothequeexcellence.com/wp-content/plugins/asd/83929288221/handler.php" nocase
$url121="https://lopppoooosdsdss.blob.core.windows.net/triumpeproeo/zxzxzxz.html" nocase
$url122="https://papapapapaapap.blob.core.windows.net/afarwaewewew/capapapa.html" nocase
$url123="https://www.infolapas.lv/company/" nocase
$url124="https://onedrive.live.com/download?cid=AE80108520D75992&resid=AE80108520D75992!110&authkey=AJCvE1mFXphXOoo" nocase
$url125="http://idontspeakfear.com/doc/medi.msi" nocase
$url126="https://santacuenta.info/santa/particulares/request.php" nocase
$url127="https://santacuenta.info/santa/" nocase
$url128="https://santacuenta.info/santa/particulares/home.php" nocase
$url129="https://cbhsnfiber.com/wp-content/office000365/fnoxglu0dy4q3k297vepc568irzj1tshmbwa9ql8ck7vbd4yz0ajxn5hg6pouwsem3if2rt1hfi4350yn7pvbgzodlmr8xtuje2c91aqk6sw" nocase
$url130="https://cbhsnfiber.com/wp-content/office000365/api.php" nocase
$url131="http://www.puzzleaddicts.me/wp-content/redirshshshggg/" nocase
$url132="https://cbhsnfiber.com/wp-content/office000365/request.php" nocase
$url133="https://drive.google.com/uc?export=download&id=1wKPszoP7U1-hXTTkAJOsW_qVZYcb0cnn" nocase
$url134="https://insurancebusinessmags.com/" nocase
$url135="https://craigne.buzz/busines-file/paid/sharepoint-v9/verification.php" nocase
$url136="https://craigne.buzz/busines-file/paid/sharepoint-v9/index.php" nocase
$url137="https://craigne.buzz/busines-file/paid/sharepoint-v9/k6ur6b5etxaznuc4wm12imm6.php" nocase
$url138="https://jhbfkjjkncvklnvkclbhjjzc.page.link/office-update" nocase
$url139="http://www.4up4.com/uploads/file_2020-03-21_014353.jpg" nocase
$url140="http://unlimitedimportandexport.com/wp-content/plugins/all-in-one-wp-migration/lib/cvxjR.exe" nocase
$url141="https://drive.google.com/uc?export=download&id=1wKPszoP7U1-hXTTkAJOsW_qVZYcb0cnn" nocase
$url142="http://innocentminds.com/oauthorization.login/bang.php" nocase
$url143="http://innocentminds.com/oauthorization.login/Myhealth.exe" nocase
$url144="http://innocentminds.com/oauthorization.login/success.php" nocase
$url145="https://innocentminds.com/oauthorization.login/index.php?loginid=to%20access%20Myhealth%20app&emailid=" nocase
$url146="http://www.i-context.net/vv/myedit/" nocase
$url147="http://unlimitedimportandexport.com/wp-content/plugins/all-in-one-wp-migration/lib/bread.exe" nocase
$url148="http://198.12.66.107/wzkjiCU.exe" nocase
$url149="http://93.126.60.106/vDBAExRNFm.exe" nocase
$url150="http://198.12.66.107/ewlANwI.exe" nocase
$url151="https://gameaze.com/wp-content/themes/wp_data.php" nocase
$url152="https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php" nocase
$url153="http://dasi46.com/data/safari/hkt/feed.php" nocase
$url154="http://dasi46.com/data/safari/index.php" nocase
$url155="http://dasi46.com/data/safari/reward.html" nocase
$url156="http://photron.co.kr/xe/files/zones.php" nocase
$url157="https://firebasestorage.googleapis.com/v0/b/ibibapolyuser.appspot.com/o/index.htm" nocase
$url158="https://mindblog.com.ng/zltmworld/yhost.php" nocase
$url159="https://www.nflalumni.org/wp-admin/js/handler.php" nocase
$url160="https://wholenessfaceandbody.com/sharepoint/source/brand.php" nocase
$url161="https://wholenessfaceandbody.com/sharepoint/source/policy.php" nocase
$url162="https://wholenessfaceandbody.com/sharepoint/source/" nocase
$url163="https://wholenessfaceandbody.com/sharepoint/source/login.php" nocase
$url164="http://milap.net/ch.exe" nocase
$url165="http://54.37.131.204/index.php" nocase
$url166="https://firebasestorage.googleapis.com/v0/b/xxxvvvvxwbbb.appspot.com/o/5433457.html" nocase
$url167="https://unwithered-jams.000webhostapp.com/v9/v9/s/?signin" nocase
$url168="https://unwithered-jams.000webhostapp.com/v9/v9/?activity" nocase
$url169="https://unwithered-jams.000webhostapp.com/v9/v9/l_/submit.php" nocase
$url170="http://www.ignica.org/ebpuzm1x/sdspinler.php" nocase
$url171="http://hem.pmf.untz.ba/wp-admin/wclatimer.php" nocase
$url172="http://mailhubpros.com/.well-known/skorry.php" nocase
$url173="http://dentistmountainview.org/wp-content/wgitelman.php" nocase
$url174="http://restauracyjkaubabuni.pl/tmp/wc433862.php" nocase
$url175="http://catchingcourage.com/shopping/tony.php" nocase
$url176="http://perdossikaltim.com/images/rpdilemmo.php" nocase
$url177="http://agnigate.com/.quarantine/rpavuk.php" nocase
$url178="http://www.originhealth.ca/wp-includes/w_small.php" nocase
$url179="http://thelinkbuildingservices.com/openshop/rossmarshall.php" nocase
$url180="http://20tnews.com/wp-content/zona66.php" nocase
$url181="http://tatanusa.co.id/components/riccicorpxe3.php" nocase
$url182="http://violetfoundationla.org/wp-snapshots/rickmcveigh.php" nocase
$url183="http://www.idcl.co/.well-known/wjbard_9.php" nocase
$url184="http://languageterritory.com/css/tljnrusso.php" nocase
$url185="http://www.hanoimotor.net/wp-content/wgpatras1.php" nocase
$url186="http://hyderabadpestcontrolservices.com/wp-content/waterwork3.php" nocase
$url187="http://woprices.com/.well-known/wisbill111.php" nocase
$url188="http://gefsgp.cn/tmp/rmurf52.php" nocase
$url189="http://faitmaison.fr/wp-admin/sspetro.php" nocase
$url190="http://patatrading.com/manger/suiteblau.php" nocase
$url191="http://www.becomingtheboakyes.com/wp-content/shaghulbert.php" nocase
$url192="http://fascave.com/messon-bulk-sms-reseller-business-html-template/triedofthebullcrap.php" nocase
$url193="http://www.coliseuempresarial.com.br/rvsb-js/wstraub.php" nocase
$url194="http://nuchichietaphi.org/cli/trumanp1.php" nocase
$url195="http://mcinstalaciones.com.mx/wp-includes/wr_lin.php" nocase
$url196="http://all-babes.com/links/simplydancestudios.php" nocase
$url197="http://mattconnors.com/php/rockyrack2003.php" nocase
$url198="http://azramedicalsystems.com/.quarantine/wallerd21.php" nocase
$url199="http://www.idcl.co/.well-known/sstepp2548.php" nocase
$url200="http://www.newscreators.com/wp-admin/tructy72.php" nocase
$url201="http://bespokedistillery.co.uk/cgi-bin/roderick_mc.php" nocase
$url202="http://easefulmedia.com/pk/yhmh1999.php" nocase
$url203="http://bejoy.kiev.ua/ldow7k/yanpat.php" nocase
$url204="http://ogltrade.com/libraries/robert-lafleur.php" nocase
$url205="http://rsfcrm.com/bestcarpetcleanersnorthampton/tnmartinez1.php" nocase
$url206="http://home.gpak.in:88/wp-admin/spanishwildbull.php" nocase
$url207="http://exhaustaway.futurismdemo.com/.quarantine/rljbubba.php" nocase
$url208="http://www.amhypnotherapy.co.uk/wp-admin/wsfig.php" nocase
$url209="http://baotruocketqua.com/wp-admin/wterdale.php" nocase
$url210="http://sportsliv.net/.quarantine/scottforty.php" nocase
$url211="http://certificados.imperiumidiomas.com.br/cgi-bin/richardfrutiger.php" nocase
$url212="http://rongxsmb.com/home/wc556o.php" nocase
$url213="http://s35510.gridserver.com/css/steve525se.php" nocase
$url214="http://thefloralbasket.com/.well-known/tyster300.php" nocase
$url215="http://4salewebsites.com/df016f97f4975267aecd7ae77817deca/selcuk.php" nocase
$url216="http://osceconnect.com/jady/rogersaas.php" nocase
$url217="http://www.cakesbuy.in/.quarantine/wrhooton2.php" nocase
$url218="http://notkevinwong.com/Downloads/sawdustmechanic.php" nocase
$url219="http://techtucker.com/wp-includes/wineloverohio.php" nocase
$url220="http://burjbabel.org/wp-content/samgreen-1.php" nocase
$url221="http://remedy-mart.com/wp-admin/wildhalf.php" nocase
$url222="http://palmenapart.com.tr/plugins/tzak1984.php" nocase
$url223="http://biostem.com.br/wp-includes/zdenek_ulc.php" nocase
$url224="http://elationmanagement.com/f3vks2s/sevnava.php" nocase
$url225="http://calsportsmanmag.com/.well-known/tblackburn.php" nocase
$url226="http://dailysukaarkhi.com/efyt7/udressy-jd.php" nocase
$url227="http://www.hao6s.cn/re3g7u/tdom45.php" nocase
$url228="http://shreebabacaterers.com/dist/semperfi13.php" nocase
$url229="http://obamaga.com/wp-includes/seawolf126.php" nocase
$url230="http://mazoon-tourism.com/language/tlmcwilliams.php" nocase
$url231="http://fewlance.com/60562a08f9b45009b9c75e39afc83c74/storminnorman01.php" nocase
$url232="http://waterdamageremovallongisland.com/cgi-bin/rick48.1.php" nocase
$url233="http://radidyo.com/gallery/rkaapke.php" nocase
$url234="http://vietvisa.ru/wp-includes/wbielke.php" nocase
$url235="http://tomorrowdata.info/wp-admin/wlkbout.php" nocase
$url236="http://penplanner.com/cgi-bin/rigfisher.php" nocase
$url237="http://bknayakent.com/.well-known/wwing111.php" nocase
$url238="http://jovehairtwist.co.uk/wp-content/rsb1261.php" nocase
$url239="http://heresmygift.xyz/uzflp20mj/richardoberlender.php" nocase
$url240="http://tongaleitis.org/TLA/wernerrk.php" nocase
$url241="http://allelectric.biz/oldallelectric/rjpittaro.php" nocase
$url242="http://kryolaniraq.com/installation00/shebsolo1.php" nocase
$url243="http://www.jasonkelvin.co.uk/wp-content/thorshammer1221.php" nocase
$url244="http://babaszepsegverseny.hu/.well-known/roadrunner3142.php" nocase
$url245="http://zerosnap.store/images/rickn1574.php" nocase
$url246="http://www.90bikes90days.org/nqcfnp/tuscanwalls.php" nocase
$url247="http://gstore.guarismo.com/wp-content/wiretheworld.php" nocase
$url248="http://unlockbasics.host/cgi-bin/zvonkojurisic.php" nocase
$url249="https://darnovinc.com/wumtnoftpqueta/mava.html" nocase
$url250="https://darnovinc.com/wumtnoftpqueta/m2.php" nocase
$url251="https://darnovinc.com/wumtnoftpqueta/" nocase
$url252="https://www.easypos.vn/nhs.php" nocase
$url253="https://www.visiolocationpro.com/nhs/?e=" nocase
$url254="http://docs.google.com/document/d/e/2PACX-1vSaRggHfSpoa95MBgxfb0nLnStg_u0suHzaVUs-uYr-qT7WEZunlhppPie5bF6xs6PLIukznPtZc5n0/pub" nocase
$url255="https://controltechsite.com/Preview.exe" nocase
$url256="http://198.12.66.107/vxVOgVh.exe" nocase
$url257="http://bsantan.com/clientes/particulares/home.php" nocase
$url258="http://bsantan.com/clientes/" nocase
$url259="http://bsantan.com/clientes/particulares/gracias.php" nocase
$url260="http://bsantan.com/clientes/particulares/firmer.php" nocase
$url261="https://bit.ly/2VHCmv5" nocase
$url262="http://bsantan.com/clientes/particulares/index.php" nocase
$url263="http://bsantan.com/clientes/particulares/sms.php" nocase
$url264="https://uctscf.co.za/Receip.exe" nocase
$url265="https://www.bsrdesigns.com/TerminationList.exe" nocase
$url266="https://job-tec.com/Preview.exe" nocase
$url267="https://dubaidreamsadventure.com/TerminationList.exe" nocase
$url268="https://docs.google.com/document/d/e/2PACX-1vTFTFp2v0cmZAik75KBhdB6BEaVokOPW8uEdpYTO2i4p1cg0R47-r_hYZQmEYS4A4720XoIhWFyGwdd/pub" nocase
$url269="https://docs.google.com/document/d/e/2PACX-1vSKnJdCk_3-UbOblCInMPu8TjO1PKP8460jaazkLbrKxpJZAmLNO8zINQcgBGqFgkaVUgIa4JvdQXqu/pub" nocase
$url270="https://docs.google.com/document/d/e/2PACX-1vS3oSmmyYKNCwKHxaDeyavQeDiBVfwe8HXTsDrK6y36GfiCFvE3xq1AFig7pA3MIx70rxoU6mBXaw_t/pub" nocase
$url271="https://docs.google.com/document/d/e/2PACX-1vS1Hg6K4vtaeKPMnWGs72RCnCsQ1iwDJ6u35zhKBl0U-mzrE1xx5rg0xOt8hRqzEONtJeuANduI4IP2/pub" nocase
$url272="https://docs.google.com/document/d/e/2PACX-1vROzSpK3dx02Gn0RTzuGkz6Ewr272EX-YKlApgnwxqkLQeKJb327_gW4GtQjDHqdKZLgKdUdi1l-LKn/pub" nocase
$url273="https://bloomfieldholding.com/Document_Preview.exe" nocase
$url274="https://drive.google.com/file/d/1m6u4b8eXvAWEzZoB9ne3nYn0GSBAsuMF/view" nocase
$url275="http://access-servicegov.onthewifi.com/mate2.php" nocase
$url276="http://access-servicegov.onthewifi.com/" nocase
$url277="http://access-servicegov.onthewifi.com/success.html" nocase
$url278="http://access-servicegov.onthewifi.com/remodel-host.html" nocase
$url279="http://access-servicegov.onthewifi.com/mate.php" nocase
$url280="http://www.mediafire.com/file/hwd7ltleia95muf/wire_cheque1.7z/file" nocase
$url281="https://onedrive.live.com/download?cid=5696478ACB744989&resid=5696478ACB744989!383&authkey=ADLDpuAYA7Kj1Dk" nocase
$url282="http://apps.usw2.pure.cloud/s/#/1/r7qmdr3lvfekbkbrtw5kd6usdu" nocase
$url283="https://vermeulensingel.buzz/%25@#&$/microsoft.php" nocase
$url284="https://vermeulensingel.buzz/%25@#&$/webmail.php" nocase
$url285="https://vermeulensingel.buzz/%25@#&$/office.php" nocase
$url286="https://vermeulensingel.buzz/%25@#&$/" nocase
$url287="http://dwp-servicesonline.servehttp.com/Wells/profile-autorisea.html" nocase
$url288="http://dwp-servicesonline.servehttp.com/Wells/ser-dashboard.html" nocase
$url289="http://tinyurl.com/yb73c5g7" nocase
$url290="http://dwp-servicesonline.servehttp.com/Wells/iceture.php" nocase
$url291="http://dwp-servicesonline.servehttp.com/Wells/revampo.php" nocase
$url292="http://dwp-servicesonline.servehttp.com/Wells/less-rejected.html" nocase
$url293="http://dwp-servicesonline.servehttp.com/Wells/index.html" nocase
$url294="http://dwp-servicesonline.servehttp.com/Wells/f3.php" nocase
$url295="http://dwp-servicesonline.servehttp.com/Wells/info.html?chase.com/verify_id" nocase
$url296="http://dwp-servicesonline.servehttp.com/Wells/localtureflij.php" nocase
$url297="http://mailaccouncheckhere-project-file-update.weebly.com/" nocase
$url298="https://mailaccouncheckhere-project-file-update.weebly.com/ajax/apps/formSubmitAjax.php" nocase
$url299="https://cert-ssl-global-prod-webmeetings.com/da4njy=/idb/saml/jsp/step2.php" nocase
$url300="https://cert-ssl-global-prod-webmeetings.com/da4njy=/idb/saml/jsp/index.php" nocase
$url301="http://u15798743.ct.sendgrid.net/ls/click?upn=pQgbTiDayS6USZM4g8ffYLuCEs75hGQVzRZxps46NHc-3Dihev_ZzessVzDpjTxx3IgbPScVK85Q14g8Aseo8s40dmAn5V1oAwRXoL1jRjgHKAxgMABNkFfFJoE7b9DVP-2F-2FqWfbNKqlsXqheWQ5xidOb8wulxqyTu-2FeZSO0Eotw27eKa8B2bpz08LSp-2FDZ-2BWDHiEzr-2FzsK0KmXpK6kV8UXxE4Azy-2FUBRPiSJ0Y1YX759A88pyGtPjH1mPgchqQIYyPoj-2F9cDQ-3D-3D" nocase
$url302="https://playdemy.org/office/doc-new" nocase
$url303="https://playdemy.org/office/doc-new/a0l/" nocase
$url304="https://playdemy.org/office/doc-new/c0mcast/" nocase
$url305="https://playdemy.org/office/doc-new/centuryl1nk/" nocase
$url306="https://playdemy.org/office/doc-new/controls.php" nocase
$url307="https://playdemy.org/office/doc-new/docon.php" nocase
$url308="https://playdemy.org/office/doc-new/docready.php" nocase
$url309="https://playdemy.org/office/doc-new/earthl1nk/" nocase
$url310="https://playdemy.org/office/doc-new/g0daddy/" nocase
$url311="https://playdemy.org/office/doc-new/gma1l/" nocase
$url312="https://playdemy.org/office/doc-new/h0tmail0ffice/" nocase
$url313="https://playdemy.org/office/doc-new/h0tmail0ffice/auth.php" nocase
$url314="https://playdemy.org/office/doc-new/h0tmail0ffice/content-context.php" nocase
$url315="https://playdemy.org/office/doc-new/h0tmail0ffice/home.php" nocase
$url316="https://playdemy.org/office/doc-new/h0tmail0ffice/pwerror.php" nocase
$url317="https://playdemy.org/office/doc-new/h0tmail0ffice/src.php" nocase
$url318="https://playdemy.org/office/doc-new/opt0nline/" nocase
$url319="https://playdemy.org/office/doc-new/rackspac3/" nocase
$url320="https://playdemy.org/office/doc-new/rrc0m/" nocase
$url321="https://playdemy.org/office/doc-new/yah00/" nocase
$url322="https://taobaowangg.cn/doc/dennis-pdf2.php" nocase
$url323="https://taobaowangg.cn/doc/index.php" nocase
$url324="http://www.carre-rouge.info/wp-content/jayy/jay2020.exe" nocase
$url325="http://obimmaa.ir/todsay/Panel/five/fre.php" nocase
$url326="http://usapglobal.usapglobal.org/fresh/freshojakkkkk.exe" nocase
$url327="http://rtipetroleum.co.za/wp-includes/SimplePie/Decode/bman.php" nocase
$url328="https://filmka.eu/wp_adp/0ffi/" nocase
$url329="https://filmka.eu/wp_adp/0ffi/next.php" nocase
$url330="http://thesecuritysoftwarescannerindustrgreat.duckdns.org/lvc/vbc.exe" nocase
$url331="http://t.emk01.com/aXlE_rd/mXNkalrGdmNiY21tm13IoWeWbJqYZ3CajMh1amlpmG5pXJVxZYqfbmNjZmSSZ5qRZZZVk5ltbJSglGhYnm6VX6BzY2xqlm1nV59xmdNd1aFmi6ifyKCilJeSm6GkV9J2bFyicZWsi2GUe4FqsbCez5asrcq9i5_bwKuOpZiJvqWbn2WelpZpp4N4nIG-ip2h" nocase
$url332="https://dhlaexpdeliver.com/DHLa/Sign.php" nocase
$url333="https://dhlaexpdeliver.com/DHLa/" nocase
$url334="https://dhlaexpdeliver.com/DHLa/login.php" nocase
$url335="https://thedutchfoundations.com/brand.php" nocase
$url336="https://thedutchfoundations.com/" nocase
$url337="https://thedutchfoundations.com/policy.php" nocase
$url338="https://drive.google.com/u/0/uc?id=1aWwHlRf0oj3x3jQ8ZGQgKL3dFpYvbMB7&export=download" nocase
$url339="https://drive.google.com/u/0/uc?id=14478IMd3BD6V_Igv0a4E6gV_rPgeIMI4&export=download" nocase
$url340="https://kjhakjah-atendimento-com.umbler.net/Netflix/send_cartao_credito.php" nocase
$url341="https://kjhakjah-atendimento-com.umbler.net/Netflix/" nocase
$url342="https://rebrand.ly/to4rlvc" nocase
$url343="http://formsite1.01065547811.com/screen_.php" nocase
$url344="http://covid19.hhhjgj.com/screen_.php" nocase
$url345="http://covid19.seopaketleri.net/screen_.php" nocase
$url346="http://covid19.tsukihi-shufa.com/screen_.php" nocase
$url347="http://covid19.pichiwaca.com/screen_.php" nocase
$url348="http://covid19.justusedet.com/screen_.php" nocase
$url349="https://pierottohome.gr/wp-content/themes/exffficnses385/request.php" nocase
$url350="https://pierottohome.gr/wp-content/themes/exffficnses385/api.php" nocase
$url351="https://pierottohome.gr/wp-content/themes/exffficnses385/i4vrfl36ka1wcebnq5jx7dhtz0my92gup8sonquylce1sroazp0xmgd72k5wfj963hv4ibt8p719u5ewdvlo084nijf6hgcbsm2xrqtayk3z?data=" nocase
$url352="https://docs.google.com/forms/d/e/1FAIpQLSfaDnPxSEVpGmz-xoNijw1RfAb2bEW9UW3YYrHBfMxdmqPeMg/viewform" nocase
$url353="https://www.dropbox.com/l/AACT4tEBUaQYychKneAQmGImTgt53mggbvI" nocase
$url354="https://santeinfoplus.org/0x7h/Adobe-Document.php" nocase
$url355="http://santeinfoplus.org/0x7h/" nocase
$url356="http://googledoccovid19.com/" nocase
$url357="http://googledoccovid19.com/22-2/" nocase
$url358="http://googledoccovid19.com/22-2/#contact-form-22" nocase
$url359="https://papaegallo.ru/cvgy/" nocase
$url360="https://is.gd/mKnsVL" nocase
$url361="https://gibsondros.co.uk" nocase
$url362="http://covid-192.godaddysites.com/" nocase
$url363="http://covid-192.godaddysites.com/v3/messages" nocase
$url364="http://37.49.225.137/HARRY%20B_mcvGZe134.bin" nocase
$url365="http://damp-aso-9673.weblike.jp/OSE/OSI.exe" nocase
$url366="https://docs.google.com/forms/d/e/1FAIpQLSch3jVbHGvT7tS7gnBnjWhdTJx14ebUOuAu97uwhgF_amMI-A/formResponse" nocase
$url367="http://docs.google.com/forms/d/e/1FAIpQLSch3jVbHGvT7tS7gnBnjWhdTJx14ebUOuAu97uwhgF_amMI-A/viewform" nocase
$url368="https://ouluok.hereag.xyz/newfile/04d524031f/rboxscript.php" nocase
$url369="https://ouluok.hereag.xyz/" nocase
$url370="https://ouluok.hereag.xyz/newfile/04d524031f/signin.php" nocase
$url371="https://ouluok.hereag.xyz/newfile/04d524031f/assets/sendscript.js" nocase
$url372="https://ouluok.hereag.xyz/newfile/04d524031f/" nocase
$url373="http://0i.is/gbiR" nocase
$url374="http://blocb.flywheelsites.com/wp-content/plugins/ubh/logabod"
$url375="http://t.ly/Le26V" nocase
$url376="http://94.158.245.25/2.msi" nocase
$url377="http://goust.xyz/ssh.zip" nocase
$url378="http://sdsddgu.xyz/khkhkt" nocase
$url379="https://sellmyracket.com/wp-content/uploads/signed.exe" nocase
$url380="http://www.just-bee.nl/phpmailo/UTR/Message.php" nocase
$url381="http://www.just-bee.nl/phpmailo/UTR/index.php" nocase
$url382="http://www.lagesports.com/.tmb/xml.php" nocase
$url383="http://www.just-bee.nl/phpmailo/UTR/Finish.php" nocase
$url384="https://ocxidso29sd-shy-lynx.mybluemix.net/?bbre=3013dspxzi" nocase
$url385="https://newof9a.bestnewsworld.info/nn/savd/xxposnto.php" nocase
$url386="https://newof9a.bestnewsworld.info/nn/normal/loading.php" nocase
$url387="https://yakuza.nsupdate.info/yakuza11111111111111111111111111111111111111111112/Fqht" nocase
$url388="http://170.130.55.77/s1Qa9vCs/load.exe" nocase
$url389="https://is.gd/VxNJWp" nocase
$url390="https://hmrc.com.onlinesecuremyaccount.italianamericanrelief.org/online/refund/details2" nocase
$url391="https://hmrc.com.onlinesecuremyaccount.italianamericanrelief.org/online/refund/details" nocase
$url392="https://tinyurl.com/ydayens7" nocase
$url394="https://hmrc.com.onlinesecuremyaccount.italianamericanrelief.org/online/refund/index?code=2" nocase
$url395="https://drive.google.com/u/0/uc?id=1eGQVD_Vj0J3YM7VNtBmBUpN3e4TjX_h5&export=download" nocase
$url396="http://sub.c0mm.de/login.php" nocase
$url397="https://bit.ly/2zpbfO6" nocase
$url398="http://energyscandinavia.eu/js/xml.php?71c29200f0c2550b467b70f8fdd5bb0c" nocase
$url399="https://www.yalda.co/.well-known/index.php" nocase
$url400="https://www.yalda.co/.well-known/finish.php" nocase
$url401="http://siitgo.com/u/index.php" nocase
$url402="http://siitgo.com/u/check.php" nocase
$url403="http://migration2.godaddysites.com/" nocase
$url404="http://h2arc.com/wp-includes/ID3/send.php" nocase
$url405="http://185.234.217.224/BsQJGbeKKavwjfd.exe" nocase
$url406="http://mecharnise.ir/da15/fre.php" nocase
$filename1="CoVid19_BAH.PDF.tar" nocase
$filename2="CORONA TREATMENT.doc" nocase
$filename3="CORONA VIRUS REMEDY ISREAL.doc" nocase
$filename4="SAFETY PRECAUTIONS.rar" nocase
$filename5="5567688.htm" nocase
$filename6="Employee Survey.pdf" nocase
$filename7="DOWNLOAD-COVID-19-REPORT-SAFETY.doc.iso" nocase
$filename8="Internetsonline.txt" nocase
$filename9="Rapport sur les coronavirus.doc" nocase
$filename11="Info_17031267613.doc" nocase
$filename12="Info_17031267690.doc" nocase
$filename13="Info_17033267636.doc" nocase
$filename14="Info_1989267740.doc" nocase
$filename15="UPDATE!!!.xlsx" nocase
$filename16="COVID-19.zip" nocase
$filename17="COVID-19 WHO RECOMENDED V.gz" nocase
$filename18="50590113.xlam" nocase
$filename19="CORONAVIRUS.XLSX" nocase
$filename20="MLY.exe" nocase
$filename21="covid51_form.zip" nocase
$filename22="covid51_form.vbs" nocase
$filename23="PKQL-7263913.exe" nocase
$filename24="Attachment.iso" nocase
$filename25="Emergency Funds Document.exe" nocase
$filename26="COVID-19 Precautions.doc" nocase
$filename27="covid49_form.vbs" nocase
$filename28="covid49_form.zip" nocase
$filename29="COSCO WORKING PLAN.xlsm" nocase
$filename30="COVID 19 NEW ORDER FACE MASKS.doc" nocase
$filename31="covid 19.rtf" nocase
$filename32="COVID - 19 Treatment & Cure.pptx" nocase
$filename33="WxByN.xlsm" nocase
$filename34="Sample Products.xlsx" nocase
$filename35="Covid-19 Immunity Diet Tips.pdf.exe" nocase
$filename36="Covid-19 Immunity Diet Tips.pdf.zip" nocase
$filename37="EmergencyContact.xlsm" nocase
$filename38="Mask 2020.rar" nocase
$filename39="Mask 2020.exe" nocase
$filename40="Covid-19 Immunity Diet Tips.pdf.zip" nocase
$filename41="Covid-19 Immunity Diet Tips.pdf.exe" nocase
$filename42="COVID 19.xlsx" nocase
$filename43="COVID_19 Patient_Update_120216 am-pdf.html" nocase
$filename44="COVID_19 Patient_Update_045147 pm-pab.pdf.HTML" nocase
$filename45="Covid-19_in_Building_Information_7349-pab.pdf.htML" nocase
$filename46="Covid-19_in_Building_Information_140-pab.pdf.htML" nocase
$filename47="GUILDLINE TO PORT AGENTS AND AUTHORITY.xlsm" nocase
$filename48="COVID-19 SUSPECTED AFFECTED VESSEL.doc" nocase
$filename49="ATT23364.htm" nocase
$filename50="ATT59981.htm" nocase
$filename51="ATT72137.htm" nocase
$filename52="COVID19_LIST.ISO" nocase
$filename53="LIST.EXE" nocase
$filename54="Supplier-Face Mask Forehead Thermometer.doc" nocase
$filename55="Your Voice-message_4.htm" nocase
$filename56="payment copy.com" nocase
$filename57="payment copy.iso" nocase
$filename58="2302106.pdf" nocase
$filename59="5389175.pdf" nocase
$filename60="9544645.pdf" nocase
$filename61="covid_19_document.zip" nocase
$filename62="Ficha tecnica COVID19.vbs" nocase
$filename63="Ficha tecnica COVID19.vbs.bz2" nocase
$filename64="file_2020-03-21_014353.jpg" nocase
$filename65="COVID-19 LATEST.doc" nocase
$filename66="covid_19_document.vbe" nocase
$filename67="CORONA KITS#ORDER 20200407.exe" nocase
$filename68="CORONA KITS#ORDER 20200407.zip" nocase
$filename69="CORONA KITS ORDER.ZIP" nocase
$filename70="WINNERS LIST COVID 19.doc" nocase
$filename71="o6959d.exe" nocase
$filename72="Excel.SheetMacroEnabled.12.xls" nocase
$filename73="Myhealth.exe" nocase
$filename74="World covid19 update.xlsm" nocase
$filename75="NEW ORDER.exe" nocase
$filename76="NEW ORDER.zip" nocase
$filename77="BULLETIN 14 - 09.04.2020.zip" nocase
$filename78="WmCJvAn.exe" nocase
$filename79="COVID 19 MEASURES.xlsm" nocase
$filename80="DOCX.doc" nocase
$filename81="COVID-19 MEASURES & AFFECTED PORTS.xlsm" nocase
$filename82="ewlANwI.exe" nocase
$filename83="Guidelines-566.xls" nocase
$filename84="-COVID-19-relief-949355628324366512-98774732133383838558-857585.htm" nocase
$filename85="VENTILATOR VG- 70 TECH. SHEET.XLSX" nocase
$filename86="coverage_PE893_3096.zip" nocase
$filename87="coverage_PE893.xls" nocase
$filename88="coverage_RC435_9757.zip" nocase
$filename89="coverage_RC435.xls" nocase
$filename90="UPS Attachment.iso" nocase
$filename91="UPS_ATTA.EXE" nocase
$filename92="latest cataloque.Doc.exe" nocase
$filename93=/filename="[a-z]{1}.[a-z]{1,4}([0-9]{1,4})?/ nocase
$filename94="mlowARC.exe" nocase
$filename95="Final Packing List HPH (April 2020).xlsm" nocase
$filename96="SARS-nCov-2 Guidelines, Medical Cert & Declaration.doc" nocase
$filename97="Preview.exe" nocase
$filename98="TerminationList.exe" nocase
$filename99="AprilsReport.exe" nocase
$filename100="Coronavirus.xlsm" nocase
$filename101="Receip.exe" nocase
$filename102="Scan06_pdf.exe" nocase
$filename103="Urgent Cargo Flight Details.vbs" nocase
$filename104="_COVID- 19 Circular.jar" nocase
$filename105="quotation.exe" nocase
$filename106="quotation.iso" nocase
$filename107="COVID-19 Q & A Fact Sheet.pdf" nocase
$filename108="urgent inquire.jar" nocase
$filename109="Your Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar" nocase
$filename110="Salary-Receipt.html" nocase
$filename111="outstanding orders.xlsx" nocase
$filename112="price-catalog-may.xlsx" nocase
$filename113="C0V-I9 Files.htm" nocase
$filename114="4GULS1DB.EXE" nocase
$filename115="PACKAGE_.EXE" nocase
$filename116="ReadMe.exe" nocase
$filename117="COVID-19_SBA_Disaster_Fund_Deposits (1).pdf" nocase
$filename118="COVID-19_SBA_Disaster_Fund_Deposits.pdf" nocase
$filename119="COVID-19_Disaster_Fund_Payout.PDF" nocase
$filename120="-✉-Covid19 Relief Plan87878-23636sd.htm"
$filename121="COVID-19 Face Mask.zip" nocase
$filename122="COVID-19 Face Mask.exe" nocase
$filename123="Forehead thermometers.zip" nocase
$filename124="Forehead thermometers.exe" nocase
$filename125="Medical disposable products.xlsx" nocase
$filename126="2.msi" nocase
$filename127="fmla.slk" nocase
$filename128="fmla.zip" nocase
$filename129="ATTACHME.EXE" nocase
$filename130="myattachment.iso" nocase
$filename131="Codid19-Check_v0151f60.xlsm" nocase
$filename132="Getein 3 Ply Face Mask.exe" nocase
$filename133="LIST OF BANNED GOODS.html" nocase
$filename134="June_Order.zip" nocase
$filename135="June_Order.exe" nocase
$filename136="Order Datasheet.zip" nocase
$filename137="Order Datasheet.exe" nocase
$filename138="GrantForm.html" nocase
$filename139="PPE Quotation-june 3.pdf_______________________PPE Quotation-june 3.pdf____64464.gz" nocase
$filename140="PPE_QUOT.EXE" nocase
$filename141="BsQJGbeKKavwjfd.exe" nocase
$filename142="COVID 19 INDIAN PORTS.doc" nocase
$filename143="d7635c13758389505acc3470c7c49f3c_AbctfhgXghghgh_.scT" nocase
$subject1="[Newsletter] Coronavirus (COVID-19) new cases confirmed in your city" nocase
$subject2="[Newsletter] Coronavirus: Important update" nocase
$subject3="Attention: List Of Companies Affected With Coronavirus March 02, 2020" nocase
$subject4="CORONA VIRUS CURE FOR CHINA,ITALY" nocase
$subject5="Coronas Virus Reached 3 more cities in United States" nocase
$subject6="Coronavirus (COVID-19) new cases confirmed in your city" nocase
$subject7="Coronavirus: Important update" nocase
$subject8="COVID-19 - Now Airborne, Increased Community Transmission" nocase
$subject9="FW: Corona Virus (Covid-19 / 2019-nCoV) Impact to Sea freight Supply Chains" nocase
$subject10="Rapport de transmission du coronavirus du AIRFRANCE/KLM" nocase
$subject11="RE: IT-Service desk: Coronavirus notice for all employee" nocase
$subject12="RE:CORONA VIRUS CURE FROM ISREAL" nocase
$subject13="Restrictions - Update on Coronavirus" nocase
$subject14="URGENT ATTENTION/COVID-19/CASE-REPORT/SAFETY" nocase
$subject15="Urgent Corona Virus Employee Survey" nocase
$subject16="RE: Coronavirus disease (COVID-19) outbreak prevention and cure update." nocase
$subject17="Coronavirus: an important information about precautionary measures for the enterprises" nocase
$subject18="Fw:UN" nocase
$subject19="Corona Virus update" nocase
$subject20="World Health Organization/ Let's fight Corona Virus together" nocase
$subject21="Mask supply and Vaccine for virus" nocase
$subject22="March General Meeting (Coronavirus)" nocase
$subject23="Recent Matters Addressed On Covid-19 And World Food Imports." nocase
$subject24="Participation in the procurement of logistics of Corona Virus" nocase
$subject25="CORONAVIRUS (COVID-19) UPDATE // BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTIN" nocase
$subject26="Information about COVID-19 in the United States" nocase
$subject27="Re: Coronavirus Review for " nocase
$subject28="Emergenza COVID 19 / COVID 19 emergency" nocase
$subject29="Covid-19 Emergency funds Update" nocase
$subject30="COSCO SHIPPING KOERA - working plan, COVID-19 Precautions" nocase
$subject31="Coronavirus: All 50 States Report Cases" nocase
$subject32="COVID:19 - FACIAL MASKS NEW ORDER" nocase
$subject33="Information about Covid- 19 Actions" nocase
$subject34="Work Remotely Enrollment (Action Required)" nocase
$subject35="(CDC) Approved Treatment & Cure" nocase
$subject36="HIGH-RISK: New confirmed cases in your city" nocase
$subject37="Information about Covid- 19 Actions" nocase
$subject38="COVID-19 Supplies (Masks, Gloves, & other products)" nocase
$subject39="RE: Covid19" Latest Tips to stay Immune to Virus !!" nocase
$subject40="COVID-19 CONTACT" nocase
$subject41="RE:FREE FACE MASK" nocase
$subject42="FREE FACE MASK" nocase
$subject43="Reply: New tender 2020" nocase
$subject44="You missed a call for COVID-19 Update" nocase
$subject45="CORONA Virus Update on our Premises ID:1918 Friday 03/27/2020" nocase
$subject46="FW: CORONA Virus Update on our Premises ID:1918 Friday 03/27/2020" nocase
$subject47="New Updates on Coronavirus" nocase
$subject48="Staff Member Confirmed COVID 19 Positive ID:8378 Monday 03/30/2020" nocase
$subject49="Confidential Info on COVID 19 ID:8621 Monday 03/30/2020" nocase
$subject50="CORONA Virus Update on our Premises ID:8040 Monday 03/30/2020" nocase
$subject51="COVID-19 SUSPECTED CREW /VESSEL" nocase
$subject52="You missed a call for COVID-19 Updated (0:25 sec)." nocase
$subject53="Corona Virus Cases: Find out How Many cases in your area" nocase
$subject54="Supplier-Face Mask/ Forehead Thermometer" nocase
$subject55="#QUEDATENCASA# COVID-19# Aviso importante !!" nocase
$subject56="Missed Audio To You On (COVID-19) Today 1 April, 2020 ##REF:GEKCRL_25907-2045" nocase
$subject57="Missed Audio To You On (COVID-19) Today 1 April, 2020 ##REF:EUDRGN_94422-2829" nocase
$subject58="Missed Audio To You On (COVID-19) Today 1 April, 2020 ##REF:XFFVCV_22445-0186" nocase
$subject59="Payment Assistance Due To Covid-19 Pandemic" nocase
$subject60="MULTAS COVID16 CUARNTENA OBLGATORIA" nocase
$subject61=/CORONA Virus Update on our Premises ID:d+/ nocase
$subject62=/Missed Audio To You On (COVID-19) Today .*? ##REF/ nocase
$subject63=/Staff Member Confirmed COVID 19 Positive ID:d+/ nocase
$subject64="COVID-19 Explore Laniado Hospital latest update" nocase
$subject65="RE: NEW ORDER CORONA KITS" nocase
$subject66="Re: UN COVID-19 Stimulus" nocase
$subject67="DAILY COVID-19 REPORTS RESEND OF NO. 14, WEDNESDAY 9th APRIL"
$subject68=/DAILY COVID-19 REPORTS RESEND OF NO. / nocase
$subject69="URGENT COVID-19 SUSPECTED AFFECTED VSL" nocase
$subject70="Important guidance for organizations as well as workers to plan and respond to coronavirus spread" nocase
$subject71="Your flight is cancelled: collect your refund" nocase
$subject72="Motortrend Shared a Document using SharePointOnline" nocase
$subject73="VENTILATORS REQUIREMENT IN BULK QUANTITY" nocase
$subject74="New eVoice Message (COVID-19 URGENCY)" nocase
$subject75=/(the|this) (above|following) is a (safe|secure|protected) (message|e(-)?mail|notification) (coming )?from Humana. #d+/ nocase
$subject76=/this is a (protected|safe|secure) (email|e-mail|message|notification) (from|coming from) Humana. #d+/ nocase
$subject77="Fight Against Covid-19 Pandemic" nocase
$subject79="PDA REQUEST LINER IN BASIS - MV COCO GYUN LOADING APPROX 56 PKGS / 1747 MT / 227" nocase
$subject80="CORONAVIRUS:#QUEDATEENCASA, Aviso importante !!" nocase
$subject81=/Coronavirus update (COVID-19) .*? your neighbors tested positive!/ nocase
$subject82="INVOICE PAYMENT DELAY DUE TO COVID 19" nocase
$subject83="URGENT CARGO - Covid-19 TEST KITS & Masks" nocase
$subject84="Covid 19 Update 2 // Safety Measures" nocase
$subject85="Coronavirus Job Retention Scheme Approved" nocase
$subject86="Corona_wire_cheque_payment" nocase
$subject87="Payee advise : Updated value date due to COVID-19 Lockdown" nocase
$subject88="En línea con Covid19" nocase
$subject89="COVID-19 IgM - IgG Test Quotation" nocase
$subject90="COVID-19 Distress Sales" nocase
$subject91="COVID-19 VACCINE from (201-990-100) " nocase
$subject92="URGENT ORDER FOR HAND SANITIZER" nocase
$subject93="Plataforma Netflix grates pelo periodo de isolamento social. - " nocase
$subject94="IRS COVID-19 Stimulus Check Payment" nocase
$subject95="IRS COVID-19 Stimulus Payment1" nocase
$subject96="Reminder: The Small Business Grant Fund (Gov.uk) sent you " nocase
$subject97="AN ASSOCIATE INVITATION to edit(via Google Docs)" nocase
$subject98="COVID-19 Benefits- Government Funded " nocase
$subject99="COVID-19 Formulier voor het volgen van symptomen van werknemers." nocase
$subject100="URGENT NEED: U.S. Department of Health & Human Services/COVID-19 Face Mask/ Forehead thermometers" nocase
$subject101="Disposable face mask, coverall, isloation gown, shoe cover and so on" nocase
$subject102="COVID-19 Update ;Premium Office apps with Microsoft 365" nocase
$subject103="Overdue contribution schedule(s), Coronavirus (COVID-19) version" nocase
$subject104="Covid-19 Emergency funds Update" nocase
$subject105="The following is a new Employee Request Form for leave within the Family and Medical Leave of Act (FMLA) Family and Medical Leave Act (FMLA)" nocase
$subject106="Helping you during this covid from government" nocase
$subject107="NHS Payment per COVID-19" nocase
$subject108="UNABLE TO REMIT TAX REFUND PAYMENT - UPDATE ON COVID-19" nocase
$subject109="Are you scared of coronavirus? Act immideately?" nocase
$subject110="Getein 3 Ply Single Use Face Mask" nocase
$subject111="BANNED GOODS DUE TO COVID 19" nocase
$subject112="Get your support if you have lost a job" nocase
$subject113="Important COVID-19 Fund Approval" nocase
$subject114="Mask-KN95, 3-ply civilian disposable masks and gloves" nocase
$subject115="REPORT WITH REGARDS TO COVID-19 FOR ALL INDIAN PORTS" nocase
$subject116="KN95 mask Invoice and air rate" nocase
condition:
any of them
}rule PM_Intel_CoronaVirus_Keywords {
meta:
copyright = "/* (c) 2020 Cofense Inc. available at https://cofense.com/solutions/topic/coronavirus-infocenter/ */"
license = "This yara rule is offered pursuant to the Attribution-NonCommercial-NoDerivatives 4.0 International license, available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode."
description = "This yara rule consists of the most popular and widely overlapping keywords and phrases seen by COfense across thousands of Coronavirus or Covid-19 related phishing emails. This rule should be considered as an enrichment rule to highlight Coronavirus/Covid-19 related emails, some of which may not be malicious. Due to the increasing volume and quantity of phishing templates using these themes, this rule is being marked as a Priority 5. This data comes from Cofense's Intelligence team, proprietary data collection sources, and the Cofense Phishing Defense Center. This yara rule should be considered a living rule, and will be updated periodically with new and additional indicators as they are identified and validated by the Cofense Intelligence Team."
time_to_live="Forever"
rule_context="Phishing Tactic"
author = "Cofense Intelligence, Cofense Labs"
version = "1"
date_created = "23-Mar-2020"
change_log_23Mar2020 = "initial rule creation"
strings:
$c1 = " corona" nocase
$c2 = " covid" nocase
$c3 = "wuhan" nocase
$lure1 = "attached" nocase
$lure2 = "invoice" nocase
$lure3 = "PO"
$lure4 = "document" nocase
$lure5 = "click" nocase
$lure6 = "we have provided an updated" nocase
$lure7 = "community spread" nocase
$lure8 = "world health organization" nocase
$lure9 = "covid-19 update" nocase
$lure10 = "face mask" nocase
$lure11 = " update" nocase
$lure12 = "outbreak" nocase
condition:
1 of ($c*) and 1 of ($lure*)
}Coronavirus Phishing Emails in the News
Top Email Protections Fail in Latest COVID-19 Phishing Campaign
Scammers Are Taking Advantage of Fears Surrounding Coronavirus
Beware of Criminals Pretending to be the World Health Organization
Coronavirus: How Hackers are Preying on Fears of Covid-19
Hackers are Now Using Coronavirus Lures to Infect Their Targets
Hackers are Trading on Coronavirus Fears with Phishing Email Scams
More Helpful Resources to Promote Phishing Awareness
Remote Working Resources
With many people now remote working, phishing threats are targeting workers and preying on unfamiliar routines, technology learning curves, and distracted employees. Covid-19 phishing emails are out there, bypassing technical safeguards and leveraging human vulnerabilities to infect your network.