T1566.002 Spearphishing Link — Luxembourg Hospitality SMS Phishing Campaign

production-ready status: experimental level: medium

Smishing campaign targeting hotel customers in Luxembourg. The CIRCL MISP event lists six SMS sender phone numbers (NL/UK/ID country codes) that delivered the lure linking to a credential-harvesting page. This rule fires on SMS or mobile-threat-defense telemetry showing inbound messages from any of those senders. Source IOCs are sender numbers only — the source event does not publish the lure URL or landing domain, so URL/DNS coverage is left as a follow-up if those indicators surface. Tagged T1566.002 (Phishing: Spearphishing Link); the SMS delivery angle maps to MISP galaxy "phishing:techniques=sms-phishing".

Rule ID

d4809b9b-47f0-54ea-b8ee-7a986643871e

Status

experimental

Level

medium

Log source

category: sms · product: mobile

Date

2026-06-10

Modified

2026-06-10

ATT&CK

T1566.002 (signal rollup)

Canonical YAML

t1566-002-luxembourg-hospitality-sms-phish.yml

References

• https://thrunt.me/sigma/t1566-002-luxembourg-hospitality-sms-phish.yml
• https://www.circl.lu/doc/misp/feed-osint/10a94632-a0a1-4062-a3a5-95fe321ae045.json
• https://attack.mitre.org/techniques/T1566/002/

False positives

• Legitimate inbound SMS from one of these numbers after the campaign ends (sender-rotation is fast in smishing operations — expect short TTL).
• Test traffic from security-awareness platforms simulating the campaign.

Rule YAML

title: 'T1566.002 Spearphishing Link — Luxembourg Hospitality SMS Phishing Campaign'
id: 'd4809b9b-47f0-54ea-b8ee-7a986643871e'
status: 'experimental'
description: 'Smishing campaign targeting hotel customers in Luxembourg. The CIRCL MISP event lists six SMS sender phone numbers (NL/UK/ID country codes) that delivered the lure linking to a credential-harvesting page. This rule fires on SMS or mobile-threat-defense telemetry showing inbound messages from any of those senders. Source IOCs are sender numbers only — the source event does not publish the lure URL or landing domain, so URL/DNS coverage is left as a follow-up if those indicators surface. Tagged T1566.002 (Phishing: Spearphishing Link); the SMS delivery angle maps to MISP galaxy "phishing:techniques=sms-phishing".'
references:
    - 'https://thrunt.me/sigma/t1566-002-luxembourg-hospitality-sms-phish.yml'
    - 'https://www.circl.lu/doc/misp/feed-osint/10a94632-a0a1-4062-a3a5-95fe321ae045.json'
    - 'https://attack.mitre.org/techniques/T1566/002/'
author: 'Applied Cybernetics Group (via thrunt.me)'
date: '2026-06-10'
modified: '2026-06-10'
tags:
    - 'attack.initial_access'
    - 'attack.t1566.002'
    - 'tlp.clear'
logsource:
    category: 'sms'
    product: 'mobile'
detection:
    selection:
        SenderNumber:
            - '+31613570733'
            - '+447470766507'
            - '+447346922620'
            - '+447990119737'
            - '+447423152571'
            - '+6283180060342'
    condition: 'selection'
falsepositives:
    - 'Legitimate inbound SMS from one of these numbers after the campaign ends (sender-rotation is fast in smishing operations — expect short TTL).'
    - 'Test traffic from security-awareness platforms simulating the campaign.'
level: 'medium'

The YAML file above is the canonical artifact — machine consumers should subscribe via /sigma/manifest.json and fetch t1566-002-luxembourg-hospitality-sms-phish.yml directly. This page is a rendered view, regenerated daily.