MATCH-4 Intelligence Ratio Model

Nowadays, we can find hundreds of Threat Intelligence feeds available across the internet. Most of them focus on the typical indicators such as suspicious or malicious IP addresses, URLs, domains, or file hashes.

There are different solutions and projects that leverage these feeds to check whether collected IOCs are present in our tenants or logs, with the goal of alerting, auditing, or even directly blocking access to the identified indicators.

However, there is another critical aspect when working with TI feeds : the match ratio of finding an IOC.

With this in mind, I would like to share which I have called MATCH-4 Intelligence Ratio. This approach not only aligns better with the threats faced by that environment but also significantly increases the likelihood of finding relevant IOCs.

Simply collecting more IOCs doesn’t guarantee better protection. What matters is their relevance to your users, infrastructure, and industry. The MATCH-4 Intelligence Ratio Model introduces a framework to evaluate indicators through four lenses—language, location, systems, and sector—so that defenders can prioritize high-confidence matches and filter out low-value noise.

MATCH-1 IRM: Language

Language is one of the most influential drivers of a successful match ratio in malicious campaigns. Adversaries understand that familiarity with language builds trust, while unfamiliar languages often trigger suspicion. To maximize engagement, attackers carefully tailor their phishing content to align with the linguistic expectations of their target.

For example, a user in Switzerland is unlikely to interact with subjects, URLs, or attachments written in Spanish, Chinese, or Russian. However, when the same content is presented in German, French, or Italian—the country’s official languages—it immediately feels natural and credible, significantly increasing the probability of interaction.

Attackers exploit this in multiple ways:

• Localized communication: Emails, SMS, and websites are translated or adapted into the target’s native or official language. Even basic greetings such as “Bonjour”, “Guten Tag”, or “Buongiorno” can establish an instant sense of legitimacy.

• Imitation of local tone and style: Beyond translation, adversaries may mimic the structure, spelling, and tone commonly used in official or corporate communication within the country. For instance, they may adopt formal letter formats, specific honorifics, or local abbreviations.

• Hybrid language usage: In multilingual regions (e.g., Switzerland, Belgium, or Canada), attackers may include multiple languages within the same campaign to broaden coverage and increase success rates.

• Technical lures in native language: Error messages, software update prompts, or login pages often appear in the user’s expected language, making them indistinguishable from legitimate sources.

From a defensive perspective, language-based IOCs are crucial in threat hunting. A sudden surge of malicious domains, attachments, or phishing lures localized into a specific language can indicate a regionally focused campaign. Monitoring these language patterns helps defenders anticipate targeted social engineering efforts before they scale.

MATCH-2 IRM: Location

The second aspect integrated into this model is location, which adversaries often exploit to make malicious content appear more trustworthy and relevant to the target audience. Attackers may craft URLs, email subjects , or filenames that contain references to the local environment. Importantly, these references do not always directly mention the targeted country or city, but they often include subtle cues such as:

• Countries, cities, and villages

• Local events, public holidays, or cultural festivals

• Popular tourist attractions and landmarks

• Essential services (banks, public transportation, utilities, healthcare)

• Well-known local companies or government institutions

• Regional news headlines or weather alerts

These location-based elements increase the likelihood that a user will perceive the content as legitimate and engage with it. For instance, malicious campaigns may imitate a country’s official tax agency during the filing season, mimic transport providers with urgent schedule updates, or reference a national holiday to deliver themed “announcements” or attachments.

From a defensive perspective, such information is valuable for identifying malicious infrastructure. URLs or domains that abuse local references can signal targeted phishing attempts or region-focused attacks that would otherwise appear benign in a global context.

MATCH-3 IRM: Systems

The systems your users actually work with every day strongly influence the IOC match ratio. This goes beyond the operating system to include productivity suites, line-of-business apps, identity/VPN solutions, and collaboration tools, for instance:

• OS systems: In a Mac-heavy environment, lures about Windows Update or KB patches will have a very low match ratio; macOS or App Store update lures will score higher.

• Office systems: If your org uses Microsoft 365 Online, indicators referencing SharePoint, OneDrive, Exchange, Teams, or Yammer will match far better than lures tied to Google Workspace (Drive, Gmail, Docs)—and vice versa.

• Business apps: If finance runs on SAP or Workday, invoices, payroll, or vendor-portal lures branded to those systems will match more than generic “billing portal” pages.

• Developers/IT: Teams centered on GitHub/GitLab/Jira/ServiceNow will match more on code-repository access, PAT revocation, pipeline failures, or ticket updates.

MATCH-4 IRM: Sector

The final—and often most decisive—factor in improving the IOC match ratio is sector relevance. If the IOCs being collected are not tailored to your organization’s industry, they will likely yield a very low match ratio, since users will not recognize the content as meaningful or connected to their daily work.

By contrast, when adversaries craft malicious content that aligns with the business operations, workflows, and terminology of a specific sector, the probability of user interaction increases dramatically. Employees are far more likely to trust lures that resemble the legitimate communication they encounter in their professional environment.

Attackers exploit this in multiple ways:

• Sector-themed communication: Emails or attachments are styled to look like industry updates, regulatory notices, or supplier announcements that users would normally expect.

• Business-relevant documents: Malicious files may be disguised as contracts, reports, project updates, or billing statements, all of which appear consistent with the user’s work responsibilities.

• Operational references: Phishing domains or lures may reference common processes such as audits, compliance checks, procurement, or HR procedures, giving them a natural sense of legitimacy.

• Partner and vendor imitation: Adversaries frequently mimic external organizations that typically interact with the target sector, increasing believability and the chance of user action.

From a defensive perspective, sector-aware IOCs are critical. Monitoring for malicious indicators that align with your business context allows security teams to filter out irrelevant noise and focus on high-probability threats. A sudden spike in sector-specific phishing templates, document names, or domains can reveal targeted campaigns before they gain traction.