IoC, IoA and IoF: What indictors really mean

The terms Indicator of Attack (IoA), Indicator of Compromise (IoC), and Indicator of Fraud (IoF) can get confusing. It is not always clear how they are different or when to use which. So, let’s break them down and make sense of what each one means, how they work, and which ones matter most for keeping an organization safe.

At Switch’s Security Operations Centre, we use SIEM (Security Information and Event Management) solutions to check whether reported IoCs appear in our customers’ environments. Since attackers quickly change IP addresses, domain names, or URLs, we also focus on IoAs, which remain relevant for longer and help us detect threats even when their infrastructure shifts.

IoAs – Indicators of Attack

IoAs are early warning signs, such as unexpected traffic spikes, suspicious logins, or abnormal user behaviour. They reveal active cyber threats before they escalate. Unlike IoCs, which focus on forensic evidence after a breach has occurred, IoAs detect malicious intent in real time, exposing the "why" behind attacks.

This proactive approach shifts the security focus from responding to damage to disrupting threats mid-action. By continuously analysing system logs, attacker tactics, techniques, and procedures (TTPs), and behavioural anomalies, teams can neutralise risks before they cause any harm. For example, some IoA detections can include:

1. Renamed tools
   Critical tools such as PowerShell can be misused by attackers by renaming its executable file to hide their actions, avoiding default detections based on paths or commands and ultimately deliver their threats.
2. Excessive SMTP traffic
   Attackers may attempt to spread malware, steal sensitive information using a man-in-the-middle attack, launch a DDoS attack, or misuse a company server to send spam and run phishing scams. A detection of this IoA can be based on a general analysis of an unusually high volume of SMTP traffic.
3. Unusual process execution
   Attackers often use legitimate system tools, such as PowerShell, CMD, MSHTA, or WMIC, to carry out malicious operations. These tools are built into the OS and trusted by security controls, making them ideal for bypassing defences and being used for:
   –  execution of payloads using base64-encoded commands
   –  obfuscated or suspicious commands in process lines (e.g. mshta, rundll32)
   –  use of trusted tools to download or execute remote scripts
4. Command and control (C2) communication
   Malware communicating with external servers controlled by attackers. Uncommon ports, encrypted traffic or repeatedly failed DNS lookups can be indicators to identify a potential attack.

IoCs – Indicators of Compromise

An IoC is a data artifact or an observable characteristic that suggests a system or network has been compromised or that malicious activity has occurred.
IoCs can include file hashes, IP addresses, domain names, registry changes, process anomalies, or behavioural signatures that correlate with known threats. They are typically used in forensic analysis, threat hunting, and automated detection workflows to identify, trace, and respond to security incidents post-compromise.

1. File hashes
   File hashes are unique digital fingerprints of files (e.g., MD5 or SHA256) which can be used to identify known malware or suspicious files. These hashes serve as IoCs that can be cross-referenced with threat intelligence feeds to identify file-based threats across environments.
2. Malicious IP addresses
   Malicious IP addresses are IoCs linked to phishing, malware delivery, or command-and-control infrastructure. Communication with these IP addresses often indicates a compromised user or system.
3. Domain names and URLs
   Domain names and URLs are among the most common IoCs used to detect and investigate malicious activity. They represent hostnames (e.g. evil-site.com) or full web addresses (e.g. http://evil-site.com/payload.exe) that are involved in:
   –  phishing campaigns (e.g., fake login pages)
   –  malware distribution (e.g., links to malicious payloads)
   –  command and control (C2) communication (e.g. backdoors or RATs, remote access trojans)
   –  initial access brokers and exploit delivery
4. Registry keys
   Windows registry keys are critical system configurations stored in a hierarchical database used by the Windows OS and applications. Malicious actors often target or manipulate specific registry keys to:
   –  achieve persistence (e.g., run malware at startup)
   –  disable security features (e.g., real-time protection or MAPS, Microsoft Advanced Protection Service)
   –  modify system behaviour for stealth or privilege escalation
   Inspecting critical registry keys is essential for detecting potential manipulation and enabling a timely response before an attack can progress.

IoFs – Indicators of Fraud

IoFs are warning signs that someone may be tricking a system for financial gain. While they can overlap with cybersecurity issues like malware, fraud indicators usually focus on actions that seem dishonest or unusual – especially involving money. Examples include:

1. Systems logs and alerts: Audit log irregularities
   These can reveal audit log tampering, unauthorised access attempts, or suspicious configuration changes. An effective way to detect these indicators is to monitor Windows Security Event Logs and associated actions. Associated threats include:
   –  Loss of non-reputation evidence
   –  Lack of visibility over malicious activities
   –  Regulatory non-compliance
2. Phishing attempts
   Do not interact with unexpected links, email attachments, or suspicious OTP messages from unknown sources. They may contain malware designed to steal your personal or financial information. 
   For example, if you start receiving emails from an ASN that hasn’t communicated with you for the last three months, and these emails are flagged as threats originating from distinct IP addresses, this may justify classifying the ASN as a potential IoF.
3. Suspicious user behaviour
   Fraud can be detected through unusual activity, such as sudden changes to phone numbers or email addresses, unexpected transaction requests or multiple successful sign-ins from distant countries on the same day. These activities often point to an account compromise or an identity theft. In this case, a useful detection can be to find cases where the user successfully logs in from countries that are far apart on the same day.

Summary

The article clarifies the differences between:

• IoAs – Indicators of Attack: Signs that an attack is happening or imminent.
• IoCs – Indicators of Compromise: Evidence of past attacks.
• IoFs – Indicators of Fraud: Suspicious behaviour aimed at financial or identity manipulation.

Illustrative examples:

• IoAs: PowerShell misuse, excessive SMTP traffic or base64-encoded commands.
• IoCs: File hashes, malicious IP addresses, domain names and URLs or registry changes.
• IoFs: Sudden changes in user behaviour, OTP scams, or logins from widely separated locations in short periods.

For each type of indicator, the article shares practical detection strategies and ex-plains their real-life relevance. It encourages threat hunters to move beyond static detections (IoCs) and proactively identity attacker behaviours and fraud before damage is caused.