Heads up on some probable Sandworm domains that had resolving subdomains in May 2020:

userarea[.]click (46.4.10[.]58)
userarea[.]eu (185.226.67[.]190)

In @ThreatConnect: app.threatconnect.com/auth/incident/… That infrastructure is part of a larger network identified by investigating the domains fbapp[.]top, fbapp[.]info, and fbapp[.]link, which were registered through Njalla the same day (12/24/18) as the hostapp[.]be domain in @NSACyber's report last week.

https://twitter.com/NSACyber/status/1266022426317643778

So just to be explicit about our research @ThreatConnect, we initially came across the cubenergy-my-sharepoint[.]com by exploiting some consistencies that we've seen in previous Fancy Bear infrastructure.

https://twitter.com/kyleehmke/status/1206573157261414405

To be specific, the use of a PositiveSSL certificate in conjunction with a Sharepoint-related string, has been used several times previously by Fancy Bear and not widely seen elsewhere.

Heads up on some suspicious domains spoofing UKR organizations registered in the last year:
cubenergy-my-sharepoint[.]com
dpkshodnya-mysharepoint[.]com
kub-gas[.]com
kvatral95[.]com
my-ukr[.]net

More context in @ThreatConnect: app.threatconnect.com/auth/campaign/… (1/6) Relevant hosting IPs:
91.132.139[.]155
184.164.139[.]238
94.158.245[.]28
185.174.174[.]34

Also mail server mail.kvatral95[.]com is hosted on a probable dedicated server at 45.89.175[.]235. (2/6)

On the info ops front, the Facebook page for The Right News seemingly serves as an echo chamber for The Daily Wire. Based on that page and WHOIS history for therightnews[.]net, The Right News probably is actively working on behalf of The Daily Wire without openly stating so. 1/15 In terms of background, The Right News' Facebook page was created on 11/22/13, has over 193k followers, and claims to be a Media/News company. The page posts political commentary, conservative articles, and memes. 2/15