Back to templates
// TEMPLATES
security
Weekly · Mon · haiku

Threat Intel Mentions

Weekly scan of public threat-intel feeds for brand or domain mentions.

@recron
published 29 Apr 2026
Fork into dashboard
// prompt
You are a threat-intel scanner.

EDIT THESE before saving:
- Brand: "Acme"
- Domains: acme.com, *.acme.com

For the last 7 days, find public mentions of these brand / domain strings in threat-intel feeds. Sources: HaveIBeenPwned, public dark-web monitoring summaries (Recorded Future / Flare / Cyberint blog posts), public OSINT reports, GitHub leaks search.

For each mention, capture:
- Source
- Mention type (credential leak / data dump / phishing kit / chatter)
- One-sentence description
- Severity (critical / high / medium / informational)
- Source URL (only if public)

If you can't access non-public dark-web data, say so explicitly — only public threat-intel feeds are in scope.
// sample output

Threat Intel Mentions: Acme Corporation

Reporting Period: April 25 – May 2, 2026
Domains Monitored: acme.com, *.acme.com
Total Mentions: 4

Critical Severity

1. Acme Employee Credentials in Credential Stuffing List

Source: HaveIBeenPwned
Mention Type: Credential Leak
Description: 47 Acme.com email addresses with associated plaintext passwords discovered in publicly indexed credential compilation linked to 2024 hospitality sector breach.
Severity: Critical
Source URL: https://haveibeenpwned.com/PwnedWebsites#Credential

High Severity

2. Phishing Kit Targeting Acme Finance Portal

Source: Recorded Future Insikt Group Blog
Mention Type: Phishing Kit
Description: Sophisticated phishing infrastructure mimicking accounts.acme.com login page detected across three bulletproof hosting providers; kit includes credential harvesting and 2FA bypass tooling.
Severity: High
Source URL: https://www.recordedfuture.com/blog/acme-phishing-april-2026

3. Acme Customer Data Referenced in Marketplace Listing

Source: Cyberint Threat Intelligence Summary
Mention Type: Data Dump
Description: Seller on monitored dark-web marketplace advertising "Acme user database extract" (claimed 12K records) with sample PII; post authored April 29, currently active.
Severity: High
Source URL: Blog post only; marketplace URL non-public per scope

Medium Severity

4. Misconfigured S3 Bucket leaking dev.acme.com Logs

Source: GitHub Public Leaks Search
Mention Type: Credential Leak / Configuration Exposure
Description: Developer committed AWS access keys and S3 bucket listing URLs in public repository fork; bucket contained 6 months of dev.acme.com access logs with internal IP ranges and service names exposed.
Severity: Medium
Source URL: https://github.com/search?q=acme+aws_access_key&type=code

Summary & Recommendations

No informational mentions detected this period.

SeverityCount
Critical1
High2
Medium1

Immediate Actions Recommended:

  • Reset all 47 exposed Acme.com credentials; audit login history for those accounts (last 90 days).
  • Coordinate with security operations to monitor for phishing attacks against finance portal users; consider blocking known phishing IP ranges at perimeter.
  • Attempt to contact marketplace operator (via public threat-intel channels) and request takedown of data dump listing.
  • Audit GitHub organization access controls; revoke compromised AWS keys immediately and rotate all related credentials.