The Incident: Reported Email

by
  • Sender: hr-notifications@payro11-portal.com
  • Subject: ⚠️ URGENT: 2026 Annual Bonus & Salary Adjustment Review Required
  • Target: Employee in the Finance Department.

2. Updated Workflow: How it was Handled

Step A: Automated Ingestion & Ticket Creation

  • Action: The user clicks the Cofense Reporter (formerly PhishMe) button. The email is instantly pulled from the inbox.
  • Tools Used:
    • Cofense Triage: For automated ingestion and initial clustering of similar reports.
    • Jira Service Management: For centralized ticket tracking and SLA monitoring.
    • Microsoft Graph API: To programmatically move the email to a “Quarantine” sub-folder.

Step B: Technical Header & Metadata Analysis

  • Action: The SOC Analyst examines the “Email DNA”—IP addresses, routing hops, and authentication protocols (SPF/DKIM/DMARC).
  • Tools Used:
    • MXToolbox / MHA (Message Header Analyzer): To parse the routing headers and identify the true originating IP.
    • WHOIS / DomainTools: To check the age of the sender’s domain (identified as only 2 days old).
    • Cisco Talos / VirusTotal: To check the reputation score of the sender’s IP address.

Step C: URL & Payload Detonation

  • Action: The suspicious link is “clicked” inside a safe, isolated environment to see what the website actually does.
  • Tools Used:
    • ANY.RUN : An interactive sandbox to record the website’s behavior (e.g., “Does it try to download a file?” or “Is it a fake login page?”).
    • urlscan.io: To get a “screenshot” of the site without visiting it directly, preventing tracking by the attacker.

Step D: Global Search & Containment

  • Action: Once confirmed malicious, the SOC must find if any other employees received the same email and block the threat globally.
  • Tools Used:
    • Microsoft Defender for Office 365 (Explorer): To run a “Search & Purge” query to delete the email from all 10,000+ company inboxes.
    • Palo Alto PAN-OS / Zscaler: To add the malicious URL to the corporate web filter/firewall blocklist.
    • CrowdStrike Falcon / SentinelOne (EDR): To check if any laptop in the company actually established a network connection to that malicious IP.

3. Detailed Jira Comment of the Analysis

Jira Comment – Incident Analysis [INC-2026-8821]
Status: Resolved | Priority: High
Analyst: Walter White (Tier 1)

Analysis Details:

  • Initial Discovery: Triggered by user report via Cofense Reporter.
  • Header Analysis: Found DMARC Fail. Originating IP 185.x.x.x (Bulgaria) is not authorized for payro11-portal.com.
  • URL Detonation (ANY.RUN): The link https://login.microsoftonline.com-auth-sec.xyz rendered a high-fidelity clone of our corporate SSO. The site uses a “Man-in-the-Middle” (AitM) framework to capture Session Cookies and TOTP MFA codes.
  • Blast Radius: Used Defender Explorer to identify 22 total recipients. 19 were unread, 3 were opened.

Remediation Steps:

  1. Purge: Successfully executed Hard Delete command via SOAR (Splunk SOAR) for all 22 instances of the email across the tenant.
  2. Network Block: Domain added to Zscaler “Malicious Sites” category and Palo Alto External Dynamic List (EDL).
  3. Identity Protection: For the 3 users who opened the email, I forced a global logout and triggered a “MFA Re-enrollment” in Azure AD (Entra ID) as a precaution.
  4. EDR Verification: Queried CrowdStrike for any DNS requests to the malicious domain; results returned zero (0) successful connections.

Closing Note: This was a targeted 2026-style AitM phishing attempt. User education worked as intended. Closing ticket.

Leave a Comment