SOC101 - Phishing Mail Detected Alert
Let's analyze a phishing mail, with a suspicious URL ...
Last updated
Let's analyze a phishing mail, with a suspicious URL ...
Last updated
Hello, blue teamers. In this blog entry, join me as I attempt to conquer the SOC 101 — Phishing Mail Detected alert, hosted on Let’s Defend.
NOTE: Always remember to investigate alerts from Let's Defend, on a VM.
Let’s have a good look at the alert, to familiarize ourselves with the details
Proceed to take ownership of the case Create case
Since the SOC alert deals with phishing mail, let’s have a look at Let’s Defend’s mailbox, titled ‘Exchange’, and search by the mail address of the victim — mark@letsdefend.io
This is the sent mail in question:-
We’ve got our first bit of evidence here, a malicious domain — http://nuangaybantiep.xyz
Seems like an email was sent to Mark’s Phone. It’s not a desktop endpoint that we are looking for here
Checking the ‘Endpoint Security’ section, we come across Mark’s phone, titled ‘MarksPhone’
Let’s proceed to start the playbook
These answers are visible from our alert summary:-
A1) April 4, 2021, 11 p.m. A2) 146.56.195.192 A3) lethuyan852@gmail.com A4) mark@letsdefend.io A6) No
Is the content malicious?
To check it, let’s run the given domain (http://nuangaybantiep.xyz) on a few threat intel platforms namely VirusTotal and Hybrid-Analysis, and Joe sand Box
While the former two returned clean checks on the domain, Joe Sandbox had something else to say, which can be seen below:-
The site was definitely suspicious, but had no malware configuration evidence attached to it
A) Non-suspicious
A) Yes
From JoeSandbox we understand that the domain was earlier used to spread trojan, but is now unreachable to us and is not causing any harm.
Analysis of the domain, from VirusTotal and Hybrid-Analysis, is testament to that
Hence, the domain is non-malicious
A) Non-malicious
Let’s fill in the table, with the evidence and related information, collected so far
From VirusTotal, we can get information about the serving IP Address and final domain destination, from the suspected domain
Click next, to submit them
This is the analyst’s opinion on the alert
Finish the playbook
Close the alert
We were not able to achieve the objectives required to completely solve this alert. Let’s take it as a learning opportunity, to go ahead and crush other incoming SOC alerts!
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
A phishing mail has come in, to one of Let's Defend's endpoints. Upon investigation, it was found that the link attached was malicious in nature. It had been used to peddle malware in the past and it is understood that the endpoint user did click on the link.
All relevant evidence and information has been collected and submitted, confirming the alert as a true positive
Thank you for reading this blog entry. Stay tuned, as I go hunting behind some pcap files out there....
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!