Report Method: User in the Finance department clicked the “Report Phish” button in their Outlook add-in (Microsoft Report Phishing Add-in / PhishMe (Cofense) Reporter Button).
Email Details:
- Sender:
it-support@secure-loginn.com(Spoofed domain) - Subject: URGENT: Multi-Factor Authentication (MFA) Reset Required for Your Account
- Received: Today, 10:15 AM
Email Body:
Dear Employee,
Our security system has detected unusual login attempts on your corporate account. To protect your data, we require you to reconfigure your Multi-Factor Authentication (MFA) settings immediately.
Failure to update your MFA within 24 hours will result in temporary suspension of your account and access to all corporate resources.
Click here to verify your identity and update your MFA: hxxps://secure-loginn[.]com/corp/identity/verify
This is a mandatory security compliance action.
Thank you,
IT Security Team
Corp IT Support
Initial Triage Observation: The domain secure-loginn.com is not our corporate domain (ourcompany.com). The sense of urgency (“URGENT”, “within 24 hours”, “suspension”) is a common phishing tactic.
2. Analysis Process & Tools Used
| Step | Action | Tool(s) Used | Purpose & Findings |
|---|---|---|---|
| 1. Reception & Triage | Alert generated from the phishing report. | Microsoft 365 Defender / Office 365 Security & Compliance | The reported email is automatically quarantined or moved to a security mailbox. SOC Analyst receives alert in the SIEM. |
| 2. Header & Metadata Analysis | Extract full email headers, sender IP, SPF/DKIM/DMARC results. | Microsoft 365 Message Header Analyzer, MxToolbox | – Return-Path differs from From: address.– SPF: FAIL (Sender IP not authorized by ourcompany.com‘s SPF record).– DKIM: PASS but for wrong domain (secure-loginn.com).– DMARC: FAIL (Alignment failed).– Source IP: 185.143.221[.]45 (Known VPS provider). |
| 3. URL & Attachment Analysis | Analyze the embedded link without clicking. | VirusTotal, URLScan.io, ANY.RUN (or internal sandbox) | – URL: hxxps://secure-loginn[.]com/corp/identity/verify– VirusTotal: 12/94 security vendors flagged as malicious. – URLScan.io: The site is a credential harvesting page mimicking the Microsoft 365 login page. – Domain Age: Registered 3 days ago. |
| 4. Malware Sandboxing | Detonate the URL in a controlled environment. | ANY.RUN / Cuckoo Sandbox / Joe Sandbox | Analysis confirms the site: 1) Harvests Microsoft 365 credentials, 2) Asks for MFA code in a second step (real-time phishing), 3) Has no payload download. |
| 5. Internal Threat Hunting | Check if anyone else received this email or visited the URL. | Microsoft Defender for Endpoint (MDE) / Splunk (SIEM) searches. | – Email Gateway Logs: Found 45 other recipients internally. All emails were blocked by gateway due to SPF fail, except for the one reported (user’s mailbox had a delayed rule). – Endpoint Logs: No hits for connections to the malicious IP/URL from our network. |
| 6. Indicator of Compromise (IoC) Extraction | Formalize findings for blocking and alerting. | Manual compilation from analysis. | IOCs: – URL: hxxps://secure-loginn[.]com/corp/identity/verify– Domain: secure-loginn.com– IP: 185.143.221[.]45– Subject Line: “URGENT: Multi-Factor Authentication (MFA) Reset Required for Your Account” |
| 7. Containment & Remediation | Block threats and clean up. | Firewall (Palo Alto), Email Gateway (Mimecast), DNS Filter (Cisco Umbrella), Microsoft 365 Security | 1. Block IP and URL at firewall and DNS layer. 2. Add sender domain to email gateway blocklist. 3. Search and purge all instances of this email from all mailboxes using Search-Mailbox or New-ComplianceSearch.4. No endpoint action required. |
| 8. User Notification & Education | Inform the reporting user and broader audience. | Jira Service Management, Security Awareness Platform (KnowBe4) | 1. Thank the user for reporting (closing the loop). 2. Create a security awareness notification about this specific campaign for the Finance department. |
3. Detailed Jira Comment / Analysis Summary
Jira Ticket: SOC-2023-0891
Summary: Analysis of Reported Phish: “URGENT: MFA Reset Required”
Status: Analysis Complete -> Closed
Resolution: Malicious
Comment by [Analyst Name] – [Date/Time]:
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Reported By: User from Finance Dept. via “Report Phish” button.
- Email Subject: “URGENT: Multi-Factor Authentication (MFA) Reset Required for Your Account”
- Targeted Technique: Credential Harvesting & MFA Phishing (Session Theft).
2. Technical Analysis:
- Email Authentication: SPF Hard Fail, DMARC Fail. Confirmed spoofing attempt. The email did not originate from legitimate Microsoft or our corporate infrastructure.
- Sender Analysis: Spoofed display name “IT Security Team”. From domain
secure-loginn[.]com(typo-squatting style). - Link Analysis:
- URL
hxxps://secure-loginn[.]com/corp/identity/verifywas analyzed via URLScan.io and ANY.RUN. - Hosts a counterfeit Microsoft 365 login page designed to steal credentials and, in a subsequent page, one-time MFA codes.
- Domain registered recently and is not associated with any legitimate service provider.
- URL
- Campaign Impact: Email was sent to 45 internal addresses. Our email gateway (Mimecast) blocked 44 based on reputation and SPF failure. One copy reached the user’s inbox due to a delayed journaling rule.
3. Indicators of Compromise (IOCs) for Blocking:
Type IOC
URL hxxps://secure-loginn[.]com/corp/identity/verify
Domain secure-loginn[.]com
IP Address 185.143.221[.]45
Subject URGENT: Multi-Factor Authentication (MFA) Reset Required for Your Account
4. Actions Taken:
- Containment:
- Blocked IOCs at Firewall (Palo Alto) and DNS Filter (Cisco Umbrella).
- Added
secure-loginn.comto the global email blocklist. - Purged all remaining instances of this email from user mailboxes using Microsoft 365 Compliance Search (
New-ComplianceSearchAction -Purge).
- Investigation:
- Reviewed EDR (MDE) logs; no evidence of successful credential entry or compromise from any corporate endpoint.
- Searched SIEM for outbound connections to malicious IP; no hits.
- User Communication:
- The reporting user has been thanked via email for their vigilance.
- A security tip highlighting this specific MFA-phishing tactic has been scheduled for distribution.
5. Conclusion & Recommendations:
- Conclusion: This was a targeted credential harvesting phishing campaign. Thanks to the user’s report, we identified and contained the threat rapidly. No compromise detected.
- Recommendations:
- Strengthen email filtering rules to more aggressively quarantine emails with SPF hard fails, even from internal relays.
- Consider implementing an explicit “External Email” tagging banner, which would have made the spoofed sender more obvious.
- Continue user awareness campaigns focusing on MFA phishing and scrutinizing URLs.
Ticket Closure Justification: All identified IOCs have been blocked, the threat has been eradicated from the environment, and no evidence of compromise exists. The user who reported the incident has been informed. This ticket can be closed.