{
  "generated_at": "2026-06-10T16:17:48.974Z",
  "rules": [
    {
      "slug": "t1566-002-luxembourg-hospitality-sms-phish",
      "title": "T1566.002 Spearphishing Link — Luxembourg Hospitality SMS Phishing Campaign",
      "description": "Smishing campaign targeting hotel customers in Luxembourg. The CIRCL MISP event lists six SMS sender phone numbers (NL/UK/ID country codes) that delivered the lure linking to a credential-harvesting page. This rule fires on SMS or mobile-threat-defense telemetry showing inbound messages from any of those senders. Source IOCs are sender numbers only — the source event does not publish the lure URL or landing domain, so URL/DNS coverage is left as a follow-up if those indicators surface. Tagged T1566.002 (Phishing: Spearphishing Link); the SMS delivery angle maps to MISP galaxy \"phishing:techniques=sms-phishing\".",
      "yaml_url": "/sigma/t1566-002-luxembourg-hospitality-sms-phish.yml",
      "indicator_count": 0,
      "generated_at": "2026-06-10T16:17:48.974Z",
      "source": "hand-authored",
      "ioc_type": "medium"
    }
  ]
}