<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><span style="font-size: 1em;">At ThreatSTOP, our mission is to provide continuous, proactive protection against evolving cyber threats. Over the past month, our Security, Intelligence, and Research (SIR) team has implemented several key updates designed to improve visibility, accuracy, and long-term protection across our DNS Defense Cloud, DNS Defense, and IP Defense platforms. These changes enhance your ability to identify, block, and respond to malicious activity before it impacts your environment.</span></p> <!--more--><h3><strong>Classification and Retention Updates</strong></h3> <p><strong>Apple Private Relay FQDNs – Domains</strong></p> <p>This target has been reclassified from <i>General</i> to the<span style="font-weight: bold;"> </span><span style="font-weight: normal;">Anonymous Proxy </span>category. This change ensures better alignment with detection standards and helps clarify reporting for customers monitoring privacy-related traffic. No customer action is required and no policy impact is expected.</p> <p><strong>Extended Retention for Malware Targets</strong></p> <p>We’ve extended the data retention period for several malware-related targets to better capture long-lived infections and delayed callbacks. The following feeds now retain Indicators of Compromise (IOCs) for a longer duration:</p> <ul> <li> <p>Active Malware – Domains</p> </li> <li> <p>TS Originated Manual Malware Domain List – Domains</p> </li> <li> <p>Active Malware – IPs</p> </li> <li> <p>TS Originated Manual Malware IP List – IPs</p> </li> <li> <p>Dormant Malware – Domains</p> </li> <li> <p>Dormant Malware – IPs</p> </li> </ul> <p>This enhancement ensures that longer-running infections remain visible and actionable within your protection window.</p> <p><strong>Phishing Target Improvements</strong></p> <p>All phishing-related targets now retain data for a minimum of 14 days. While phishing domains are typically active for less than 24 hours, this update ensures that customers who may not check email daily remain protected from longer or recurring campaigns.</p> <p><strong>Suspicious and Malicious Domains</strong></p> <p>The target <i>“TS Originated suspicious and/or malicious domain names – Domains”</i> now retains data for a minimum of 30 days. This change enhances coverage for domains that initially appear inactive but later demonstrate malicious behavior. This domain is not included in policies by default, and must be manually configured if desired.</p> <h3><strong>Compliance and Intelligence Enhancements</strong></h3> <p><strong>OFAC and Sanctioned Entity Detection</strong></p> <p>Our OFAC and sanctioned entity compliance protections have been significantly upgraded. Detection is now fully automatic and AI-enhanced, improving both speed and precision. The retention window has been extended, and our system dynamically adapts as entities are added or removed from sanction lists. These updates ensure customers remain continuously compliant while benefiting from proactive protection against restricted or high-risk entities. &nbsp;A separate blog post will be written on this subject soon.</p> <h3><strong>Advanced DNS Tunneling Detection</strong></h3> <p><strong>DNS Tunneling – Domains</strong></p> <p>We’ve made substantial improvements to our DNS tunneling detection capabilities. This target now retains data for 90 days—three times longer than before—and detection accuracy has improved tenfold. Our updated model identifies VPNs that use DNS for tunneling (commonly browser-based plugins) and detects a new evasion method called <span style="font-weight: normal;">CNAME masking</span>, where malicious domains bounce through multiple CNAME records to hide their true destination.</p> <p>We have observed particularly effective detections of these techniques in live customer environments, where infected hosts attempted to combine <span style="font-weight: normal;">CNAME masking and DNS tunneling to evade network protections. Our team was able to help the organization identify and remediate infections before any data exfiltration occurred. Additionally, detection coverage has expanded to include Proton Pro VPN</span>, increasing visibility into VPN-based tunneling behaviors that blend into normal DNS traffic.</p> <p><strong>Recommendation:</strong></p> <p>We strongly recommend all customers enable the <i>“DNS Tunneling – Domains”</i> target. It is part of the <span style="font-weight: normal;">Command and Control</span> bundle but can also be added individually to your policy. This protection is one of the most effective ways to prevent covert tunneling, command and control communication, and hidden data transfer attempts.</p> <h3><strong>New and Enhanced Detection Capabilities</strong></h3> <p><strong>Funnull Technology Infrastructure Detection</strong></p> <p>We implemented new detection logic to block all traffic to infrastructure operated by <span style="font-weight: normal;">Funnull Technology Inc.,</span> which was sanctioned by the U.S. Department of the Treasury and the FBI for facilitating cryptocurrency and romance scam operations. &nbsp;This has been rolling out since the announcement (linked below).</p> <p>Our system now automatically identifies and mitigates domains hosted on known Funnull IPs and CNAMEs, ensuring that any malicious or deceptive infrastructure tied to these operations is proactively blocked. (<a href="https://home.treasury.gov/news/press-releases/sb0149">U.S. Treasury Press Release)</a></p> <p><strong>Machine Learning–Driven Whitelisting</strong></p> <p>We introduced an ML-driven system that intelligently separates safe from unsafe traffic. Using reinforcement learning, it continuously refines its understanding of legitimate activity, improving protection accuracy while minimizing false positives. &nbsp;This is being applied to the ML models we are building to proactively identify malicious traffic for customers.</p> <p><strong>Spam and Malicious URL Scoring</strong></p> <p>A new scoring engine now automatically flags URLs with a verdict score above 50, improving visibility into phishing and spam campaigns in real time. &nbsp;This is a backend feature that a customer wouldn't see anything other than increased detection</p> <p><strong>Organizational Anomaly Detection</strong></p> <p>Our new anomaly detection system monitors traffic patterns per organization and automatically alerts the SIR team when traffic significantly exceeds expected thresholds or deviates from baseline activity. &nbsp;This allows us to identify new infections for customers (and pro-actively notify them), as well as monitor for false positives. &nbsp;More on this feature in the future as we continue to refine it.</p> <p><strong>Expanded Intelligence Partnerships</strong></p> <p>We’ve integrated with new third-party intelligence sources to enhance the speed and scope of detection. These feeds provide earlier visibility into active phishing and malicious-hosting campaigns, enriching the ThreatSTOP ecosystem and improving real-time protection.</p> <h3><strong>Stay Protected</strong></h3> <p>These updates represent ongoing progress in our commitment to delivering proactive, intelligent, and evolving protection across all ThreatSTOP platforms. Our Security, Intelligence, and Research team continues to refine detection coverage to stay ahead of adversaries and improve visibility for our customers.</p> <p>For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a Demo today!</p> <p><strong>Connect with Customers, Disconnect from Risks</strong></p> <h3><strong>MITRE ATT&amp;CK Framework Mapping</strong></h3> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Category</strong></p> </th> <th> <p><strong>MITRE Technique</strong></p> </th> <th> <p><strong>Description</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Command and Control</p> </td> <td> <p>T1071.004</p> </td> <td> <p>DNS Tunneling</p> </td> </tr> <tr> <td> <p>Exfiltration</p> </td> <td> <p>T1048</p> </td> <td> <p>Exfiltration Over Alternative Protocol</p> </td> </tr> <tr> <td> <p>Credential Access</p> </td> <td> <p>T1556</p> </td> <td> <p>Input Capture / Phishing</p> </td> </tr> <tr> <td> <p>Discovery</p> </td> <td> <p>T1082</p> </td> <td> <p>System Information Discovery via Network Data</p> </td> </tr> <tr> <td> <p>Evasion</p> </td> <td> <p>T1568</p> </td> <td> <p>Dynamic Resolution (CNAME Masking)</p> </td> </tr> <tr> <td> <p>Defense Evasion</p> </td> <td> <p>T1070</p> </td> <td> <p>Indicator Removal or Obfuscation</p> </td> </tr> <tr> <td> <p>Impact</p> </td> <td> <p>T1486</p> </td> <td> <p>Data Encryption or Data Manipulation</p> </td> </tr> </tbody> </table> <p>&nbsp;</p></span>
