* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Behind the Curtains of a ... # Behind the Curtains of a Vendor Email Compromise (VEC) Attack [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbehind-the-curtains-of-a-vendor-email-compromise-vec-attack%2F) [](https://twitter.com/share?text=Behind+the+Curtains+of+a+Vendor+Email+Compromise+%28VEC%29+Attack&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbehind-the-curtains-of-a-vendor-email-compromise-vec-attack%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbehind-the-curtains-of-a-vendor-email-compromise-vec-attack%2F&title=Behind+the+Curtains+of+a+Vendor+Email+Compromise+%28VEC%29+Attack&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/behind-the-curtains-of-a-vendor-email-compromise-vec-attack/&ts=markdown) \[\](mailto:?subject=Behind the Curtains of a Vendor Email Compromise (VEC) Attack) Link copied By [Stav Setty](https://www.paloaltonetworks.com/blog/author/stav-setty/?ts=markdown "Posts by Stav Setty") and [Tom Fakterman](https://www.paloaltonetworks.com/blog/author/tom-fakterman/?ts=markdown "Posts by Tom Fakterman") Jun 21, 2023 8 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [Mircboot](https://www.paloaltonetworks.com/blog/tag/mircboot/?ts=markdown) [Phishing](https://www.paloaltonetworks.com/blog/tag/phishing/?ts=markdown) [Phishing Kit](https://www.paloaltonetworks.com/blog/tag/phishing-kit/?ts=markdown) [VEC](https://www.paloaltonetworks.com/blog/tag/vec/?ts=markdown) [VEC Attack](https://www.paloaltonetworks.com/blog/tag/vec-attack/?ts=markdown) [XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown) ### **Executive Summary** Credential phishing is one of the most popular threats businesses and individuals need to face in today's cybersecurity landscape. In recent years credential phishing campaigns keep evolving in an attempt to appear as legitimate as possible. Threat actors attempt to mimic credible platforms and services in an attempt to get unsuspecting users to enter their credentials and other sensitive information. Once credentials are stolen, threat [actors may sell them in underground markets](https://www.darkreading.com/threat-intelligence/sale-of-stolen-credentials-and-initial-access-dominate-dark-web-markets), or use them to conduct further malicious operations, sometimes even months after the credentials were first obtained. One approach used by threat actors to further raise the legitimacy of the phishing is a method known as a [vendor email compromise]() (VEC) attack. In this type of attack a threat actor first gains access to a vendor's business email account, and then, uses said account to spread malicious emails to the vendor's customers - thus abusing the trust that customers often grant a well-known vendor. In this blog, we will explore how attackers use these techniques to launch a phishing campaign with a high damage potential to both the vendor and its customers. **Table of Contents** [Phishing Sites \& Phishing Kits](#post-295882-_8ukfnn57g) [Vendor Email Compromise](#post-295882-_ojgvqcidv9h0) [Conclusion](#post-295882-_uomlt8uabyk4) [Protections and Mitigations](#post-295882-_mf3k1d3b3om7) [Indicators of Compromise](#post-295882-_ydqdbjg0dngh) [Additional Resources](#post-295882-_eoura034lmtc) ## **Phishing Sites \& Phishing Kits** In March 2023, Cortex researchers identified a phishing campaign that used phishing sites mimicking a legitimate secure login page. ![Figure 1. Phishing site mimics a legitimate secure login page.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-1.png) Figure 1. Phishing site mimics a legitimate secure login page. When credentials are entered and the "log in" button is pressed, the user name and password are sent to the email addresses "ladyphone2001@gmail.com" and "ladyphone2001@yandex.com". By analyzing the phishing sites, it appears the attacker behind the campaign used a variation of a phishing kit named "MIRCBOOT". [Phishing Kits](https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/) are an out-of-the-box collection of files and templates that are sold to attackers to make it easy to create legitimate-looking phishing sites and phishing emails. ![Figure 2. PHP page used in the phishing campaign](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-2.png) Figure 2. PHP page used in the phishing campaign By searching for the emails hardcoded in the site's PHP, we came across a similar php page in structure which used the same email addresses. This PHP page appears to be part of the MIRCBOOT phishing kit: ![Figure 3. MIRCBOOT signature found in MIRCBOOT phishing kit](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-3.png) Figure 3. MIRCBOOT signature found in MIRCBOOT phishing kit This actor appears to run an online shop in which various services are sold, among them access to compromised accounts. The MIRCBOOT account has been active in various hacking forums since at least 2014. ![Figure 4. MIRCBOOT online store](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-4.png) Figure 4. MIRCBOOT online store ## **Vendor Email Compromise** During this campaign, the attackers used a technique known as vendor email compromise (VEC) in order to spread the phishing sites and to appear as legitimate as possible. Vendor email compromise is a type of phishing attack in which an attacker gains access to a vendor's business service account, and afterwards, uses said account to spread malicious emails to the vendor's customers. In one example analyzed in this campaign, Cortex researchers identified attackers compromising a vendor service email of a company in the financial services industry. The compromised email account was also used as a contact email for customers, and thus it potentially received many emails containing sensitive information in case of clients' inquiries. The analysis revealed that the attackers logged in to the compromised email account from Nigeria. Although it is possible for the attackers to use a VPN, there have been multiple previous reports of business email compromise (BEC) groups [operating from Nigeria.](https://www.darkreading.com/attacks-breaches/nigerian-police-arrest-11-individuals-in-bec-crackdown) The [Cortex Identity Threat Detection and Response (ITDR) module](https://www.paloaltonetworks.com/resources/techbriefs/identity-threat-detection-and-response-module) features alert layouts that expose profile data and historical trends. In the following exemple, the module detected a single sign-on operation from Nigeria, which is uncommon for this particular organization. ![Figure 5. Profile exposure of countries connected from](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-5.png) Figure 5. Profile exposure of countries connected from In order to hide their tracks, after the attackers forwarded themselves emails of interest that were sent to the compromised account from customers, the attacker moved the said emails from the Sent Items to the Deleted Items folder. This allows the attacker to gain valuable information about potential victims, as well as crafting specific emails to trick their victims. ![Figure 6. Attacker moved particular sent emails to deleted items folder](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-6.png) Figure 6. Attacker moved particular sent emails to deleted items folder ![Figure 7. Examples of emails monitored by attacker viewed in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-7.png) Figure 7. Examples of emails monitored by attacker viewed in Cortex XDR In addition to gathering intelligence, the attacker used the compromised email account to spread the phishing campaign. Malicious emails were sent to multiple recipients, who appear to be customers or prospects of the company, and thus they are more likely to trust compromised emails from the vendor. In the instance described in this paper, the attacker sent emails with the subject name "FA-Secure-File Invoice Number". These emails contained links to the phishing sites. ![Figure 8. Logs of emails sent by attacker viewed in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-8.png) Figure 8. Logs of emails sent by attacker viewed in Cortex XDR The attacker created an [email hiding rule](https://attack.mitre.org/techniques/T1564/008/), and the rule's logic moved emails that contain particular keywords to a folder named "RSS Feeds". This folder is a default folder in Outlook, and thus users rarely tend to check its contents. One of the keywords defined by the attackers in the hiding rule is the subject of the phishing email used by the attacker: "FA-Secure-File Invoice Number". This technique appears to have been used as an evasive maneuver in order to not alert the vendor that the mailbox is compromised. In case the target inbox of the phishing email is not available, the malicious email might bounce back to the sender's inbox with a message that the recipient is not available. By hiding the emails hiding rule (moving to the RSS folder), the attackers significantly reduce exposure. ![Figure 9. Suspicious Exchange email-hiding inbox rule alert in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-9.png) Figure 9. Suspicious Exchange email-hiding inbox rule alert in Cortex XDR ![Figure 10. Forwarding rule created by attacker viewed in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-10.png) Figure 10. Forwarding rule created by attacker viewed in Cortex XDR The following scheme describes a high-level flow of the observed VEC attack: ![Figure 11. Vendor email compromise attack flow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-11.png) Figure 11. Vendor email compromise attack flow ### **Conclusion** VEC attacks are a popular method threat actors use to gather intelligence and trick users in order to perform a successful phishing campaign. As enterprises move towards cloud-based services, these types of attacks are all the more popular. It is important for organizations to be aware and understand how these attacks work, in addition to the implementation of protections to prevent these kinds of emails from reaching users. ### **Protections and Mitigations** Palo Alto Networks customers receive full protection from this attack through the new AI-driven [Cortex Identity Threat Detection and Response (ITDR) module](https://www.paloaltonetworks.com/resources/techbriefs/identity-threat-detection-and-response-module) in XDR and XSIAM. The ITDR module provides advanced detection capabilities that enable organizations to quickly respond to identity-related threats. **Cortex ITDR and Identity Analytics Alerts** | Alert Name | Alert Source | ATT\&CK Technique | | [Exchange email-hiding inbox rule](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Exchange-email-hiding-inbox-rule) | XDR Analytics BIOC, Identity Threat Module (ITDR) | [Hide Artifacts: Email Hiding Rules (T1564.008)](https://attack.mitre.org/techniques/T1564/008) | | [User moved Exchange sent messages to deleted items](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/User-moved-Exchange-sent-messages-to-deleted-items) | XDR Analytics, Identity Threat Module (ITDR) | [Indicator Removal: Clear Mailbox Data (T1070.008)](https://attack.mitre.org/techniques/T1070/008/) | | [First connection from a country in organization](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/First-connection-from-a-country-in-organization) | XDR Analytics BIOC, Identity Analytics | [Compromise Accounts (T1586)](https://attack.mitre.org/techniques/T1586) | | [First SSO access from ASN in organization](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/First-SSO-access-from-ASN-in-organization) | XDR Analytics BIOC, Identity Analytics | [Valid Accounts: Domain Accounts (T1078.002)](https://attack.mitre.org/techniques/T1078/002) | | [Login by a dormant user](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Login-by-a-dormant-user) | XDR Analytics BIOC, Identity Analytics | [Valid Accounts: Domain Accounts (T1078.002)](https://attack.mitre.org/techniques/T1078/002) | |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------| Additionally, Cortex Identity Analytics features a user-centric dashboard that presents the trend of a users' alerts and risk score. In the example presented, there was a significant increase in the user's risk score as a result of the triggered alerts. ![Figure 12. User risk score card from this incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-295882-12.png) Figure 12. User risk score card from this incident For Palo Alto Networks customers, our products and services provide the following coverage associated with this group: * [WildFire](https://www.paloaltonetworks.com/products/secure-the-network/wildfire?_gl=1*nq7ug8*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTcyNDAwMC4zMC4xLjE2Njk3MjQwNjEuNjAuMC4w) cloud-based threat analysis service accurately identifies the known samples as malicious. * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w) and [DNS Security](https://www.paloaltonetworks.com/network-security/dns-security?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w) identify domains associated with this group as malicious. * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w) detects user and credential-based threats by analyzing user activity from multiple data sources including endpoints, network firewalls, Active Directory, identity and access management solutions, and cloud workloads. It builds behavioral profiles of user activity over time with machine learning. By comparing new activity to past activity, peer activity, and the expected behavior of the entity, Cortex XDR detects anomalous activity indicative of credential-based attacks. Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the [Cyber Threat Alliance](http://www.cyberthreatalliance.org). ## **Indicators of Compromise** **IP Addresses** 193\.42.33.115 162\.241.120.64 193\.42.33.115 162\.246.17.40 69\.49.246.165 162\.240.35.239 209\.126.127.53 69\.49.229.197 162\.240.73.43 65\.108.196.34 193\.47.61.51 **Domains** annefoleywinters\[.\]com salmasabry\[.\]com hoxtingvps\[.\]best brightminds-jo\[.\]com buttsexonly\[.\]com avyvliyh7\[.\]cf wqedfg\[.\]cf like-agencia\[.\]com mufda\[.\]ml radiolibre.com\[.\]ar apdrzhp7\[.\]gq arbantina\[.\]bar flvpgzj-hnd-1\[.\]ml ## Additional Resources * [https://static.fortra.com/agari/pdfs/guide/ag-anatomy-compromised-account-gd.pdf](https://static.fortra.com/agari/pdfs/guide/ag-anatomy-compromised-account-gd.pdf) * [https://www.microsoft.com/en-us/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/](https://www.microsoft.com/en-us/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/) * [https://threatcop.com/blog/vec-attacks/](https://threatcop.com/blog/vec-attacks/) *** ** * ** *** ## Related Blogs ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### NL2XQL: Turning Natural Language into Powerful Cybersecurity Querying](https://www2.paloaltonetworks.com/blog/security-operations/nl2xql-turning-natural-language-into-powerful-cybersecurity-querying/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### New Cortex Detectors for macOS Address Stealers and Malicious AppleScript](https://www2.paloaltonetworks.com/blog/security-operations/new-cortex-detectors-for-macos-address-stealers-and-malicious-applescript/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Through the Cortex XDR Lens: macOS Pirrit Adware](https://www2.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-macos-pirrit-adware/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### The Adventures of Malicious OneNote Attachments in Cortex XDR Land](https://www2.paloaltonetworks.com/blog/security-operations/the-adventures-of-malicious-onenote-attachments-in-cortex-xdr-land/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Threat Alert: Cortex vs. LockBit 3.0](https://www2.paloaltonetworks.com/blog/security-operations/threat-alert-cortex-vs-lockbit-3-0/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Protected: What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-2/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language