rule bulwark_https_bulwarkblack_com_threat_actors_abuse_atlassian_jira_cloud_to_bypass_email_security
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/threat-actors-abuse-atlassian-jira-cloud-to-bypass-email-security-and-target-government-entities/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:57:57Z"
        tlp = "TLP:CLEAR"
        indicator_count = "8"
    strings:
        $s0 = "adrinal.com" ascii wide nocase  // Domains
        $s1 = "archicad3d.com" ascii wide nocase  // Domains
        $s2 = "atlassian.net" ascii wide nocase  // Domains
        $s3 = "barankinyserialxud.online" ascii wide nocase  // Domains
        $s4 = "claude.ai" ascii wide nocase  // Domains
        $s5 = "go.sparkpostmail1.com" ascii wide nocase  // Domains
        $s6 = "sparkpostmail1.com" ascii wide nocase  // Domains
        $s7 = "13.227.180.4" ascii wide nocase  // IPv4
    condition:
        any of ($s*)
}
