False Positive | redherring.sdcoe.net

[RCsandoval]

What are the subjects of the false-positive (domains, URLs, or IPs)?

• https://aditisecurity.com
• https://sandiegocoe.net
• https://schoolunified.net
• https://sfcoe.org

Why do you believe this is a false-positive?

Greetings,
The referenced websites are owned by and redirect to redherring.sdcoe.net, which is an authorized simulated phishing awareness platform used to promote cybersecurity awareness among employees. Please review and decategorize them as Malicious.

• Red Herring landing pages are not indexed by search engines.
• The app collects only the necessary information such as the target user's email address and name to send simulated phishing emails.
• Interaction telemetry with the simulated phishing emails is collected and secured against unauthorized access.
• Text inputted into form fields on landing pages is registered, but no actual data entered is collected or recorded

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

I discovered this false-positive by checking virustotal.com

Have you requested a review from other sources?

I have requested a review from multiple threat databases.

Do you have a screenshot?

N/A

Additional Information or Context

N/A

[phishing-database-bot]

Verification Required

@RCsandoval, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:

1. Set a DNS TXT record for the domain(s) listed in this issue with the following details:

   • Record Name: _phishingdb
   • Record Value: antiphish-5ca9bd7a45b3c6c2026664ee0c344a2b0d1c4acc

   Your Verification ID: antiphish-5ca9bd7a45b3c6c2026664ee0c344a2b0d1c4acc

2. Wait for DNS propagation (this may take a few minutes to a few hours).

3. Reply to this issue once the TXT record has been set.

Important Notes

• Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis.
• If the record cannot be set or you need alternative methods of verification, please contact us at contact@phish.co.za - preferably from the domain's official email address.

How to Check the TXT Record ?

You can verify that the TXT record is properly set using:

• Online tools like MXToolBox TXT Lookup.
• The command line:

  dig TXT _phishingdb.example.com
  

Thank you for your cooperation! We will address your issue as soon as possible after verification.

The Phishing.Database Project Team.

[RCsandoval]

Greetings, We have added the requested DNS TXT records. Additionally, we have identified other domains we own that also require recategorization, and we have added TXT records to those as well. * sfcoe.org * sfusds.net * sfcoe.net * aditisecurity.com * schoolunified.net * sandiegocoe.net

…

________________________________ From: Phishing Database ***@***.***> Sent: Thursday, February 6, 2025 10:36 AM To: Phishing-Database/Phishing.Database ***@***.***> Cc: ***@***.***>; Mention ***@***.***> Subject: Re: [Phishing-Database/Phishing.Database] False Positive | redherring.sdcoe.net (Issue #1110) ⚠ This email originated from outside of SDCOE. Do not click links or open attachments unless you recognize the sender and know the content is safe. Verification Required @RCsandoval<https://github.com/RCsandoval>, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps: 1. Set a DNS TXT record for the domain(s) listed in this issue with the following details: Your Verification ID: antiphish-5ca9bd7a45b3c6c2026664ee0c344a2b0d1c4acc * Record Name: _phishingdb * Record Value: antiphish-5ca9bd7a45b3c6c2026664ee0c344a2b0d1c4acc 2. Wait for DNS propagation (this may take a few minutes to a few hours). 3. Reply to this issue once the TXT record has been set. Important Notes * Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis. * If the record cannot be set or you need alternative methods of verification, please contact us at ***@***.******@***.***> - preferably from the domain's official email address. How to Check the TXT Record ? You can verify that the TXT record is properly set using: * Online tools like MXToolBox TXT Lookup<https://mxtoolbox.com/TXTLookup.aspx>. * The command line: dig TXT _phishingdb.example.com Thank you for your cooperation! We will address your issue as soon as possible after verification. The Phishing.Database Project Team. — Reply to this email directly, view it on GitHub<#1110 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BGX3KAJK25N5ET4FXSQV6BL2OOTUJAVCNFSM6AAAAABWUHANESVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBQG4YDAOJWGM>. You are receiving this because you were mentioned.

[spirillen]

Hi Ruben

Just wondering, for how long do you believes this is a place to work?? San Diego County Office of Education, you know, it is an expense and with Captain MAGA and DOGE on the loose....

---

ptcheck sfcoe.org antiphish-5ca9bd7a45b3c6c2026664ee0c344a2b0d1c4acc
The test value matches the DNS TXT record.

Thanks for using my tools.
Please consider a sponsor ship at https://www.mypdns.org/donate

---

I will now continue looking into your request

[spirillen]

Well, it is easy to see why your might get marked... you might choose to add words like for learning and understanding...

May I request you optimize your site for light sensitive users of Dark Reader like my self

---

Found records, I would like to know more about, as I have not turned on my power-hungry vm server

https://aditisecurity.com/LandingPage/Index/122?token=a3p2SlZHSWg5YTdnbUptTnNSWUFLaHczYlYzb0pON0VyNVl6bk03aGRwUHZJQXFtbitsdnFOT3VPT2U1QlZVQ05QR3hNeERUTHVDb2RTVEhmZ0pmSHBGZ3dzd2FGd091SDBjOE14T2REb1F2T3M2VzVKc21SWnV4Mk5lb2RRZy9HcTYyL1c1NnorSEZGM09rYmRJdGptaWpPcFIxcXkzdVdPUGljdXJBOTE2TnVpMzFpaWtjRTE5RXhRVFN6RC92STJWdEhzdkpXSEVvNkszclNRZDNJdW13WmlIMW9yQ09NS0JZcnplKzRiM3RGOU5JRGJBZ3oxcHFGV2NpenpwYndISS8weWxBaGxuWkxjcXV3RGFZV2F1cUFnS3p5V2wwK215TkVRUW1Pblp6RUtBSVRKNmkwVUVvQkdqc3VucEw4bTExM1Z0QnpTaitzQzlvbHNGK0RnPT0= # Where are this one leading? and is it a training mail, that have ended up in a honeypot?

http://sandiegocoe.net/LandingPage/Index/122 # Seems to be equal the first one, without tracking

https://schoolunified.net/LandingPage/Index/122 # Seems to be equal the first one, without tracking

https://sfcoe.org/LandingPage/Index/4540?token=anA0UWl5bHMxb2dZVlpUZ1NzWVJrbWpsdVhIK1I4UjJiTjNvbDFWcVg4L0MxRWF4dk4rNzNTcGxBelpMR3lncnRZQW1lV0p0Q3ZITGJ0eXpQNUVKaXJjdlBuSlIxb0swUGtLZERhM0lwc3pLcXRidVc2aHRuZDNPRzBLUEFYNVdYZFlMSll4eEFTaGlETU9WK0xzMy85Mjk5VTlleHNEM2ZneGt4UWN1eC83Z2UwNWZyYXVQc1BxYjQzazB3ZGdkMkliYlhWNTZDOUNFRXR2QUZkWXppcmc2QXBYbGVQc0hCVkJPN1UxQk1Uak1qK3ZXRXBSOVlhVW5WbFVRZTcvdE00YjJGM2w0bXd5b0E4VDVHdHl3a1UvNmhBNmtlNFV3S09KN1pZV0xFY1BYK1pRREFocUUrSG9kRFhsUXh0VkZqaE91ZDE2WlBRc2J6eVZDV0ZLVXp3PT0=  # Seems to be equal the first one, without tracking

[RCsandoval]

Hello spirillen,
Thank you for looking into this request, it's wonderful to work with such a professionally minded threat analyst. Below are the answers to your questions. For reference, this Red Herring product has been featured by the U.S. White House https://www.sdcoe.net/about-sdcoe/news/post/~board/news/post/local-school-leader-participates-in-white-house-cybersecurity-summit and on page 17 of https://files.eric.ed.gov/fulltext/ED650652.pdf

https://aditisecurity.com/LandingPage/Index/122?token=a3p2SlZHSWg5YTdnbUptTnNSWUFLaHczYlYzb0pON0VyNVl6bk03aGRwUHZJQXFtbitsdnFOT3VPT2U1QlZVQ05QR3hNeERUTHVDb2RTVEhmZ0pmSHBGZ3dzd2FGd091SDBjOE14T2REb1F2T3M2VzVKc21SWnV4Mk5lb2RRZy9HcTYyL1c1NnorSEZGM09rYmRJdGptaWpPcFIxcXkzdVdPUGljdXJBOTE2TnVpMzFpaWtjRTE5RXhRVFN6RC92STJWdEhzdkpXSEVvNkszclNRZDNJdW13WmlIMW9yQ09NS0JZcnplKzRiM3RGOU5JRGJBZ3oxcHFGV2NpenpwYndISS8weWxBaGxuWkxjcXV3RGFZV2F1cUFnS3p5V2wwK215TkVRUW1Pblp6RUtBSVRKNmkwVUVvQkdqc3VucEw4bTExM1Z0QnpTaitzQzlvbHNGK0RnPT0= # Where are this one leading? and is it a training mail, that have ended up in a honeypot?

** This leads to an expired simulated phishing link. Expired links redirect to https://aditisecurity.com/Home/ErrorNoBranch, explaining such. Yes, it is a training email that tracks if a user clicks on the link and how they interact with simulated phishing websites and training content and then assigns that user a risk score based on their activities. By "honeypot" are you asking if the webpage is maliciously collecting sensitive information? The website only determines if text was inputted in a form field so that we know if the target user is in need of additional cybersecurity training. The site does not collect any text entered into the form fields, this can be verified by using your web browser's dev tools to inspect the page's html/css code.

http://sandiegocoe.net/LandingPage/Index/122 # Seems to be equal the first one, without tracking

** This leads to a simulated phishing website. Without the tracking token the system does not know where to send the viewer and will redirect to https://sandiegocoe.net/Home/Error/404, which explains that it was part of a simulated phishing exercise.

https://schoolunified.net/LandingPage/Index/122 # Seems to be equal the first one, without tracking

** This leads to a simulated phishing website, to further clarify all the domains that we use for simulated phishing are just DNS redirects. Without the tracking token, the system does not know where to send the viewer and will redirect to https://sandiegocoe.net/Home/Error/404, which explains that it was part of a simulated phishing exercise.

https://sfcoe.org/LandingPage/Index/4540?token=anA0UWl5bHMxb2dZVlpUZ1NzWVJrbWpsdVhIK1I4UjJiTjNvbDFWcVg4L0MxRWF4dk4rNzNTcGxBelpMR3lncnRZQW1lV0p0Q3ZITGJ0eXpQNUVKaXJjdlBuSlIxb0swUGtLZERhM0lwc3pLcXRidVc2aHRuZDNPRzBLUEFYNVdYZFlMSll4eEFTaGlETU9WK0xzMy85Mjk5VTlleHNEM2ZneGt4UWN1eC83Z2UwNWZyYXVQc1BxYjQzazB3ZGdkMkliYlhWNTZDOUNFRXR2QUZkWXppcmc2QXBYbGVQc0hCVkJPN1UxQk1Uak1qK3ZXRXBSOVlhVW5WbFVRZTcvdE00YjJGM2w0bXd5b0E4VDVHdHl3a1UvNmhBNmtlNFV3S09KN1pZV0xFY1BYK1pRREFocUUrSG9kRFhsUXh0VkZqaE91ZDE2WlBRc2J6eVZDV0ZLVXp3PT0= # Seems to be equal the first one, without tracking

** This leads to a simulated phishing website where the stancoe.org customer cloned the "/122" page and republished. It looks like the customer has links to https://stancoeorg.finalsite.com/divisions/technology-and-learning-resources/cyber-security-landing-page.

Thank you...