AI Threat Chat
RAG-powered conversational threat analysis with source citations
Cyntelligence AI
Online — Powered by local LLM + RAG
What phishing campaigns are currently targeting our organization?
Based on our threat intelligence data from the last 30 days, I've identified 3 active phishing campaigns targeting your monitored domains:
1. Customs-Payment-Phishing-2026-04 (Active)
- Domains:
- Impersonates government customs payment portal
- 8 related IOCs identified, all defanged URLs
- Risk Score: 76/100
2. Telecom Bill Payment Phishing (Active)
- Domain:
- Detected via CertStream monitoring on April 8
- Brand fuzzy match score: 92% (high confidence impersonation)
- Risk Score: 92/100
3. Energy Sector Career Portal Phishing (Under Investigation)
- Domain:
- Targets job seekers with fake application forms
- Harvesting credentials and personal documents
- Risk Score: 88/100
Recommended Actions:
- Block all identified domains at DNS/proxy level
- Alert SOC team to monitor for credential submission attempts
- Update email gateway rules for these sender domains
*Sources: CertStream CT logs, Phishing Detection Module, Telegram dark web monitoring*
1. Customs-Payment-Phishing-2026-04 (Active)
- Domains:
portal.custbms.top, portal.aeirxt.top- Impersonates government customs payment portal
- 8 related IOCs identified, all defanged URLs
- Risk Score: 76/100
2. Telecom Bill Payment Phishing (Active)
- Domain:
evil-login.telecom-pay.com- Detected via CertStream monitoring on April 8
- Brand fuzzy match score: 92% (high confidence impersonation)
- Risk Score: 92/100
3. Energy Sector Career Portal Phishing (Under Investigation)
- Domain:
fake-energy-careers.com- Targets job seekers with fake application forms
- Harvesting credentials and personal documents
- Risk Score: 88/100
Recommended Actions:
- Block all identified domains at DNS/proxy level
- Alert SOC team to monitor for credential submission attempts
- Update email gateway rules for these sender domains
*Sources: CertStream CT logs, Phishing Detection Module, Telegram dark web monitoring*
Show me the MITRE techniques used in the telecom phishing campaign
The telecom phishing campaign maps to the following MITRE ATT&CK techniques:
| Technique | Name | Phase |
|-----------|------|-------|
| T1566.002 | Phishing: Spearphishing Link | Initial Access |
| T1204.001 | User Execution: Malicious Link | Execution |
| T1078 | Valid Accounts (credential harvesting) | Persistence |
| T1056 | Input Capture (keylogging on fake login) | Collection |
| T1071.001 | Web Protocols (HTTPS C2) | Command & Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
Kill Chain Analysis:
Detection Sigma Rule Available:
We've auto-generated a Sigma rule for the C2 domain — available in the Detection Engineering module for Splunk, Elastic, and Microsoft Sentinel formats.
*Sources: MITRE ATT&CK v15, Cyntelligence Detection Engine, Phishing Agent Investigation*
| Technique | Name | Phase |
|-----------|------|-------|
| T1566.002 | Phishing: Spearphishing Link | Initial Access |
| T1204.001 | User Execution: Malicious Link | Execution |
| T1078 | Valid Accounts (credential harvesting) | Persistence |
| T1056 | Input Capture (keylogging on fake login) | Collection |
| T1071.001 | Web Protocols (HTTPS C2) | Command & Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
Kill Chain Analysis:
Delivery → Spearphishing email with link → Exploitation → User enters credentials on fake portal → C2 → Stolen data exfiltrated via HTTPS POST → Actions → Account takeoverDetection Sigma Rule Available:
We've auto-generated a Sigma rule for the C2 domain — available in the Detection Engineering module for Splunk, Elastic, and Microsoft Sentinel formats.
*Sources: MITRE ATT&CK v15, Cyntelligence Detection Engine, Phishing Agent Investigation*
Live chat available in trial — Start free trial