I currently have a customer who noticed firewall logs pointing to a URL that was never used by them before. They blocked all traffic to and from the domain of another company that was recently hit by a ransomware attack and now they want advise if this traffic could be considered an indicator of compromise.
They seem to use the Outlook plugin GpgOL and because the url suggests that it relates to gnupg i wanted to ask if this behavior is known to anyone.
[https://]openpgpkey.domain.comMy guess would be that the plugin attempts to get a public key from a keyserver if there was none saved before when an email is sent to an address like contact@domain.com
But then again it could be just a clever way to hide traffic and disguise it as something one would consider normal.
Thanks for any advise ~
(and if this turns into an IoC i shall update the question)