rule bulwark_https_bulwarkblack_com_pink_extortion_m365_vishing_cloud_data_defense
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/pink-extortion-m365-vishing-cloud-data-defense/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:56:44Z"
        tlp = "TLP:CLEAR"
        indicator_count = "6"
    strings:
        $s0 = "deploypasskey.com" ascii wide nocase  // Domains
        $s1 = "passkeyadd.com" ascii wide nocase  // Domains
        $s2 = "passkeydeploy.com" ascii wide nocase  // Domains
        $s3 = "172.93.100.252" ascii wide nocase  // IPv4
        $s4 = "185.178.208.153" ascii wide nocase  // IPv4
        $s5 = "96.232.20.66" ascii wide nocase  // IPv4
    condition:
        any of ($s*)
}
