Phishing Incident Report: User-Reported Email Analysis

by

PhishMe Alert Details

Report Time: 2024-01-19 14:32:18 EST
Report Method: PhishMe (Cofense) Reporter Button in Outlook
User: swilliams (Sarah Williams, Finance Department)
Reporting Confidence: High (User marked “Definitely Phishing”)
Report ID: PHISHME-REPORT-4587

Reported Email Details:

From: security@microsoft-support[.]net
Reply-To: support@account-verify[.]online
Subject: URGENT: Your Microsoft 365 Account Requires Immediate Verification
Received: 2024-01-19 14:25 EST
To: swilliams@ourcompany.com
CC: None

Headers Analysis:
- Return-Path: bounce-7842@newsletter[.]hosting-service[.]co
- SPF: softfail (alignment failed)
- DKIM: pass (but for microsoft-support.net, not microsoft.com)
- DMARC: fail (policy not aligned)
- X-Mailer: Microsoft Office Outlook 15.0

Email Body:
Dear swilliams@ourcompany.com,

Our security systems have detected suspicious login attempts to your Microsoft 365 account from an unrecognized device in [Moscow, Russia]. To prevent unauthorized access, we require immediate verification of your account credentials.

ACCOUNT VERIFICATION REQUIRED WITHIN 24 HOURS

Failure to verify will result in:
1. Account suspension
2. Loss of access to company resources
3. Email quarantine

CLICK HERE TO VERIFY YOUR IDENTITY: 
hxxps://login-office365-verify[.]online/secure/verify?token=AbCdEf12345

This is an automated security message. Please do not reply to this email.

Microsoft Security Team
© 2024 Microsoft Corporation

Note: The link appears to be a legitimate Microsoft login page clone.

PhishMe Reporter Context:

User included the following notes:

  • “Email claims to be from Microsoft but sender domain looks suspicious”
  • “No personalized greeting, uses my full email address”
  • “Creates unnecessary urgency with 24-hour deadline”
  • “Link doesn’t go to microsoft.com domain”

SOC Investigation & Response Process

Phase 1: Initial Triage (14:32-14:45 EST)

Tools: Cofense Triage Platform, Microsoft 365 Defender, Proofpoint Email Security

  1. Report Validation:
    • Confirmed report in Cofense Triage console
    • Verified email headers in Microsoft 365 Defender
    • Checked Proofpoint logs for original email delivery
  2. Initial Assessment:
    • Sender domain microsoft-support.net registered 3 days ago
    • Link domain login-office365-verify.online registered 2 days ago
    • SPF/DKIM/DMARC failures confirm spoofing
  3. Immediate Actions:
    • Quarantined email from user’s mailbox
    • Blocked sender domain at email gateway
    • Added malicious URLs to web filter blocklist

Phase 2: Email Analysis (14:45-15:30 EST)

Tools: Cofense PhishMe Analysis, Microsoft 365 Message Header Analyzer, URLScan.io

  1. Header Analysis:
    • X-Originating-IP: 185.165.190[.]71 (Bulgaria, known phishing host)
    • Message-ID: 20240119142542.7842@newsletter.hosting-service.co
    • Authentication-Results: spf=softfail smtp.mailfrom=microsoft-support.net
  2. URL Analysis:textOriginal URL: hxxps://login-office365-verify[.]online/secure/verify?token=AbCdEf12345 Redirect Chain: 1. login-office365-verify.online/secure/verify 2. secure-login[.]live/auth/microsoft 3. 185.165.190[.]71/captcha/verify Analysis Results: – URLScan.io: 45/72 security vendors flagged as malicious – VirusTotal: 58/94 detections as phishing – Browser Simulation: Credential harvesting page mimicking Microsoft 365 login
  3. Content Analysis:
    • Email uses Microsoft branding without authorization
    • Contains urgency markers (“URGENT”, “24 hours”, “immediate”)
    • Generic greeting with full email address (impersonal)
    • No personalized information from actual Microsoft account

Phase 3: Campaign Analysis (15:30-16:15 EST)

Tools: Proofpoint Threat Response, Splunk SIEM, Microsoft Defender for Office 365

  1. Email Campaign Search:splunkindex=email “login-office365-verify.online” OR “microsoft-support.net” | stats count by recipient, _time
    • Found 127 internal recipients of same/similar emails
    • 98% blocked by Proofpoint, 2% delivered (including reporter’s)
  2. User Impact Assessment:
    • Checked Azure AD sign-in logs for compromised credentials
    • Reviewed Microsoft Defender for Identity alerts
    • Verified no successful logins from suspicious IPs
  3. Threat Intelligence:
    • Campaign matches TA566 (Cloud Account Takeover) tactics
    • Infrastructure reused from previous Microsoft 365 phishing campaigns
    • Domain registration pattern: “microsoft-[word].[tld]”

Phase 4: Containment & Remediation (16:15-17:00 EST)

Tools: Proofpoint Email Security, Cisco Umbrella, Microsoft 365 Security & Compliance

  1. Email Remediation:
    • Created transport rule to block all emails from microsoft-support.net
    • Searched and removed all instances using:powershellSearch-Mailbox -Identity “swilliams” -SearchQuery ‘subject:”URGENT: Your Microsoft 365 Account”‘ -DeleteContent
    • Purged similar emails from all mailboxes via Microsoft 365 Compliance Search
  2. Infrastructure Blocking:
    • Added to Proofpoint blocklist: *.microsoft-support.net*.login-office365-verify.online
    • Blocked at DNS level (Cisco Umbrella): All associated domains and IPs
    • Added to firewall deny list: 185.165.190[.]71 and related IPs
  3. User Protection:
    • Reset user’s password as precautionary measure
    • Enabled additional MFA verification methods
    • Sent user phishing simulation test results (if applicable)

Phase 5: Threat Hunting & Prevention (17:00-17:45 EST)

Tools: Microsoft Sentinel, Proofpoint TAP, Cofense Intelligence

  1. Proactive Hunting:
    • Searched for users who clicked similar links in past 7 days
    • Checked EDR logs for suspicious PowerShell execution post-click
    • Reviewed browser history for visited phishing domains
  2. Prevention Enhancements:
    • Updated Proofpoint policies to more aggressively filter spoofed Microsoft domains
    • Enhanced Microsoft 365 Anti-Phishing policy with impersonation protection
    • Created custom detection rule in Microsoft Sentinel for similar patterns

Jira Incident Report

Ticket: SOC-2024-019
Status: RESOLVED
Priority: P2 – MEDIUM
Components: Email-Security, User-Reporting, Phishing
Labels: phishing, credential-harvesting, microsoft-365, user-reported, T1566
Assignee: SOC Analyst – Email Security Team
Reporter: PhishMe Automated Report (User: swilliams)

Incident Analysis: User-Reported Phishing Email

1. Executive Summary

On January 19, 2024, at 14:32 EST, user swilliams (Finance Department) reported a suspicious email via the PhishMe (Cofense) button in Outlook. The email impersonated Microsoft Security, urging immediate account verification with a link to a credential harvesting page. Analysis confirmed this as a targeted phishing campaign attempting to steal Microsoft 365 credentials. The email was successfully blocked post-delivery, and no credentials were compromised.

2. Incident Timeline

14:25 EST - Phishing email delivered to swilliams@ourcompany.com
14:32 EST - User reports email via PhishMe button
14:35 EST - SOC receives alert in Cofense Triage, begins analysis
14:45 EST - Email confirmed malicious, sender domain blocked
15:00 EST - URL analysis confirms credential harvesting page
15:30 EST - Campaign analysis reveals 127 internal targets
16:00 EST - Email purged from all mailboxes, infrastructure blocked
16:30 EST - User educated, password reset as precaution
17:00 EST - Prevention policies enhanced, incident resolved

3. Technical Analysis

Email Header Analysis:

  • Sender Spoofing: microsoft-support.net (registered 3 days ago) impersonating Microsoft
  • Authentication Failures: SPF softfail, DKIM misalignment, DMARC fail
  • Originating IP: 185.165.190[.]71 (Bulgaria, known phishing infrastructure)

URL Analysis:

Malicious URL: hxxps://login-office365-verify[.]online/secure/verify
Final Destination: 185.165.190[.]71/captcha/verify
Page Content: Microsoft 365 login page clone with credential harvesting
Threat Score: 85/100 (URLScan.io), 58/94 detections (VirusTotal)

Key Indicators:
- Domain age: 2 days
- SSL Certificate: Self-signed, issued to "Microsoft Corporation" (forged)
- Page Behavior: Captures credentials, bypasses MFA via fake "session expired" page

Campaign Characteristics:

  • Targeting: Finance department employees (higher value targets)
  • Social Engineering: Urgency (“24-hour deadline”), authority (Microsoft branding)
  • Technical Sophistication: Basic spoofing, but effective page cloning

4. Impact Assessment

User Impact:

  • Primary Reporter: swilliams – Email accessed, link NOT clicked
  • Other Recipients: 126 additional internal addresses
  • Credentials Compromised: None confirmed
  • Account Takeover: No evidence of successful authentication

Business Impact: LOW

  • No data exfiltration
  • No financial loss
  • Minimal productivity impact (single user report + analysis)

Risk Rating: MEDIUM

  • Attack targeted credentials with privileged access
  • Sophistication level: Basic-Medium
  • Likelihood of success if clicked: High

5. Containment Actions

Immediate Containment (14:35-15:00 EST):

  • Quarantined email from user’s mailbox (Microsoft 365 Defender)
  • Blocked sender domain at email gateway (Proofpoint)
  • Added malicious URLs to web filter (Cisco Umbrella)
  • Notified user via Teams not to interact with email

Campaign Containment (15:00-16:00 EST):

  • Searched and removed similar emails from all mailboxes (Microsoft 365 Compliance)
  • Blocked associated IPs at firewall (Palo Alto Networks)
  • Updated email security policies to catch similar patterns
  • Sent alert to all Finance department users about campaign

6. Investigation Findings

Email Forensic Details:

Sender Address: security@microsoft-support[.]net (spoofed)
Reply-To: support@account-verify[.]online (separate domain for replies)
Subject: URGENT: Your Microsoft 365 Account Requires Immediate Verification
Body Indicators:
- Generic greeting with full email address
- False sense of urgency with 24-hour deadline
- Threat of account suspension
- Microsoft branding without proper authorization

Authentication Results:
- SPF: softfail (microsoft-support.net not authorized for IP)
- DKIM: pass (but for wrong domain)
- DMARC: fail (policy not aligned)

Infrastructure Analysis:

  • Domain Registration: Both domains registered via Namecheap with privacy protection
  • Hosting: Bulgarian VPS provider (known for hosting phishing sites)
  • Pattern: “microsoft-[word].[tld]” pattern consistent with TA566 campaigns

7. Root Cause Analysis

Primary Causes:

  1. Email Security Gap: Proofpoint allowed email due to SPF softfail (not hard fail)
  2. User Targeting: Finance department users specifically targeted (higher success rate)
  3. Brand Impersonation: Effective Microsoft branding replication

Contributing Factors:

  1. No advanced impersonation protection enabled in Microsoft 365
  2. User training not recently updated for Microsoft 365-specific phishing
  3. Delayed threat intelligence updates for newly registered domains

8. Remediation & Prevention

Completed Actions:

  • Enhanced Proofpoint policies to treat SPF softfail as reject
  • Added “microsoft-*” domain pattern to watchlist
  • Updated Microsoft 365 Anti-Phishing policy with enhanced impersonation protection
  • Reset user password as precaution (no evidence of compromise)

User Education:

  • Thanked user for reporting (positive reinforcement)
  • Provided specific feedback on what made email suspicious
  • Added user to “Security Champions” program recognition

Technical Controls Enhanced:

  • Implemented Safe Links protection for all Microsoft 365 emails
  • Enabled mailbox intelligence for impersonation detection
  • Created custom transport rule for “URGENT” + “verify” combinations

9. Indicators of Compromise (IoCs)

Email Indicators:

Sender Domains:
- microsoft-support[.]net
- account-verify[.]online

URLs:
- hxxps://login-office365-verify[.]online/secure/verify
- hxxps://secure-login[.]live/auth/microsoft

IP Addresses:
- 185.165.190[.]71 (primary hosting)
- 194.165.16[.]89 (secondary hosting)

File Hashes: N/A (no attachment)

Detection Rules Added:

kql

// Microsoft Sentinel Detection Rule
SecurityAlert
| where AlertName contains "Phishing" 
| where Entities has "microsoft-support.net" 
| or Entities has "login-office365-verify.online"

10. Lessons Learned & Improvements

What Worked Well:

  1. User reporting via PhishMe button was timely and accurate
  2. Cofense Triage automation sped up initial analysis
  3. Cross-tool integration allowed rapid containment

Areas for Improvement:

  1. Detection: Need earlier detection of newly registered spoof domains
  2. Response: Automated remediation for confirmed phishing emails
  3. Education: More targeted training for finance department

Action Items:

  1. Immediate (1-2 days):
    • Schedule phishing simulation targeting Microsoft 365 credentials
    • Update security awareness materials with this real example
  2. Short-term (1 week):
    • Implement domain age filtering in email gateway
    • Create automated playbook for PhishMe-reported emails
  3. Long-term (1 month):
    • Evaluate additional email security solutions with better brand impersonation detection
    • Implement User Entity Behavior Analytics (UEBA) for credential compromise detection

11. Resolution Verification

Email Security Verification:

  • Proofpoint logs show no further emails from blocked domains
  • Microsoft 365 shows no similar emails in quarantine
  • URL blocklists updated across all security tools

User Verification:

  • User confirmed no interaction beyond reporting
  • Password successfully changed
  • MFA re-confirmed as active

Threat Hunting Verification:

  • No successful logins from suspicious IPs in past 7 days
  • No credential harvesting alerts in Microsoft Defender for Identity
  • No suspicious PowerShell or command execution events

12. Conclusion

This user-reported phishing incident demonstrates the effectiveness of security awareness training and reporting mechanisms. The user’s vigilance prevented potential credential compromise, and the SOC’s rapid response contained the threat across the organization. While the attack was moderately sophisticated, existing security controls functioned as designed with human oversight.

Positive Outcomes:

  • User behavior aligned with security training expectations
  • Security tools integrated effectively for investigation
  • No business impact or data compromise occurred
  • Opportunity to enhance detection and prevention controls

Closure Rationale: All malicious content contained and eradicated, security controls enhanced, user educated and recognized, and monitoring improved for similar attacks.

Follow-up Date: February 19, 2024 (30-day review of enhanced controls)

Analyst: [Walter White], SOC Analyst
Date: 2024-01-19 18:00 EST

Leave a Comment