Recently I’ve seen a number of good looking malicious emails pretending to be from various orgs, all with included company logos.
Looking over the HTML of the emails I noticed an image URL common to all of them, logo.clearbit[.]com. It was in the image tag for logo.
It’s a company logo API that uses logo.clearbit[.]com/“domain.whatever” for logo creation.
Might be a domain you want to start filtering for, as the API is clearly being abused thanks to it being absolutely free.
#ThreatIntel
Fellows /
npub1x6…0qtcd
2025-02-21 21:44:31
Author Public Key
npub1x6rdj7gu3magc9j29a042njygsjx9hg3husmk45sjf9n7rhx85fqs0qtcdPublished at
2025-02-21 21:44:31Event JSON
{
"id": "207ca7d8f832c4140adbfaefa4a20a312b5cff78af3732868f09b0ed9ef88a6e",
"pubkey": "3686d9791c8efa8c164a2f5f554e44442462dd11bf21bb5690924b3f0ee63d12",
"created_at": 1740174271,
"kind": 1,
"tags": [
[
"proxy",
"https://cyberplace.social/@fellows/114044061036385824",
"web"
],
[
"t",
"threatintel"
],
[
"proxy",
"https://cyberplace.social/users/fellows/statuses/114044061036385824",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://cyberplace.social/users/fellows/statuses/114044061036385824",
"pink.momostr"
],
[
"-"
]
],
"content": "Recently I’ve seen a number of good looking malicious emails pretending to be from various orgs, all with included company logos. \n\nLooking over the HTML of the emails I noticed an image URL common to all of them, logo.clearbit[.]com. It was in the image tag for logo. \n\nIt’s a company logo API that uses logo.clearbit[.]com/“domain.whatever” for logo creation. \n\nMight be a domain you want to start filtering for, as the API is clearly being abused thanks to it being absolutely free. \n\n#ThreatIntel",
"sig": "2021149cde43a41d4b1c9b3c0d94e77fca1a30cb33efb47c54f4a87ee75dfd9f97b1b0337a2e2a4c10b7375769f83ac764390637599b02bce9f4d753fa00c052"
}