SOC101  -  Phishing Mail Detected Alert

Let's analyze a phishing mail, with a suspicious URL ...

Hello, blue teamers. In this blog entry, join me as I attempt to conquer the SOC 101 — Phishing Mail Detected alert, hosted on Let’s Defend.

NOTE: Always remember to investigate alerts from Let's Defend, on a VM.

Introduction to the Alert

Let’s have a good look at the alert, to familiarize ourselves with the details

Proceed to take ownership of the case Create case

Initial enumeration

Since the SOC alert deals with phishing mail, let’s have a look at Let’s Defend’s mailbox, titled ‘Exchange’, and search by the mail address of the victim — mark@letsdefend.io

This is the sent mail in question:-

We’ve got our first bit of evidence here, a malicious domain — http://nuangaybantiep.xyz

Seems like an email was sent to Mark’s Phone. It’s not a desktop endpoint that we are looking for here

Checking the ‘Endpoint Security’ section, we come across Mark’s phone, titled ‘MarksPhone’

Incident details

Let’s proceed to start the playbook

Playbook Questions

Parsing the email

These answers are visible from our alert summary:-

A1) April 4, 2021, 11 p.m. A2) 146.56.195.192 A3) lethuyan852@gmail.com A4) mark@letsdefend.io A6) No

Is the content malicious?

To check it, let’s run the given domain (http://nuangaybantiep.xyz) on a few threat intel platforms namely VirusTotal and Hybrid-Analysis, and Joe sand Box

While the former two returned clean checks on the domain, Joe Sandbox had something else to say, which can be seen below:-

The site was definitely suspicious, but had no malware configuration evidence attached to it

A) Non-suspicious

Attachments or URLs in the mail?

A) Yes

Analyze Url/Attachment

From JoeSandbox we understand that the domain was earlier used to spread trojan, but is now unreachable to us and is not causing any harm.

Analysis of the domain, from VirusTotal and Hybrid-Analysis, is testament to that

Hence, the domain is non-malicious

A) Non-malicious

Adding artifacts

Let’s fill in the table, with the evidence and related information, collected so far

From VirusTotal, we can get information about the serving IP Address and final domain destination, from the suspected domain

Click next, to submit them

Analyst's Notes

This is the analyst’s opinion on the alert

Finish the playbook

Close the alert

Parting notes

Alert Scorecard

We were not able to achieve the objectives required to completely solve this alert. Let’s take it as a learning opportunity, to go ahead and crush other incoming SOC alerts!

Every alert solved is a step towards perfection and I am pretty happy with the score I received.

Summary of the alert

A phishing mail has come in, to one of Let's Defend's endpoints. Upon investigation, it was found that the link attached was malicious in nature. It had been used to peddle malware in the past and it is understood that the endpoint user did click on the link.

All relevant evidence and information has been collected and submitted, confirming the alert as a true positive

Conclusion

Thank you for reading this blog entry. Stay tuned, as I go hunting behind some pcap files out there....

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting any one of the emojis below!