From d378c4e9efdab60298b7ad657515516183ea3de4 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 11 Jul 2018 08:33:28 +0200
Subject: [PATCH] add: [microsoft-attack-simulator] warning list about phishing
 campaign for "security awareness"

---
 lists/microsoft-attack-simulator/list.json | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 lists/microsoft-attack-simulator/list.json

diff --git a/lists/microsoft-attack-simulator/list.json b/lists/microsoft-attack-simulator/list.json
new file mode 100644
index 0000000..eedd1af
--- /dev/null
+++ b/lists/microsoft-attack-simulator/list.json
@@ -0,0 +1,25 @@
+{
+  "matching_attributes": [
+    "ip-src",
+    "ip-dst",
+    "domain|ip",
+    "hostname"
+  ],
+  "version": 20180711,
+  "list": [
+    "52.168.52.134",
+    "securescore-user-prod.cloudapp.net",
+    "portal.docdeliveryapp.com",
+    "portal.hardwarecheck.net",
+    "portal.payrolltooling.com",
+    "portal.docdeliveryapp.net",
+    "portal.docstoreinternal.com",
+    "portal.prizesforall.com",
+    "portal.payrolltooling.net",
+    "portal.prizegiveaway.net",
+    "portal.hrsupportint.com"
+  ],
+  "name": "List of known Office 365 Attack Simulator used for phishing awareness campaigns",
+  "description": "Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence",
+  "type": "substring"
+}