rule bulwark_https_bulwarkblack_com_fortinet_blocks_actively_exploited_forticloud_sso_zero_day_until_
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/fortinet-blocks-actively-exploited-forticloud-sso-zero-day-until-patch-is-ready/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:31:25Z"
        tlp = "TLP:CLEAR"
        indicator_count = "12"
    strings:
        $s0 = "104.28.195.105" ascii wide nocase  // IPv4
        $s1 = "104.28.195.106" ascii wide nocase  // IPv4
        $s2 = "104.28.212.114" ascii wide nocase  // IPv4
        $s3 = "104.28.212.115" ascii wide nocase  // IPv4
        $s4 = "104.28.227.105" ascii wide nocase  // IPv4
        $s5 = "104.28.227.106" ascii wide nocase  // IPv4
        $s6 = "104.28.244.114" ascii wide nocase  // IPv4
        $s7 = "104.28.244.115" ascii wide nocase  // IPv4
        $s8 = "217.119.139.50" ascii wide nocase  // IPv4
        $s9 = "37.1.209.19" ascii wide nocase  // IPv4
        $s10 = "cloud-init@mail.io" ascii wide nocase  // Email Addresses
        $s11 = "cloud-noc@mail.io" ascii wide nocase  // Email Addresses
    condition:
        any of ($s*)
}
