Email Details:
Reported Via: PhishMe (Cofense) Reporter Button in Outlook
Reporting User: asmith (Alex Smith, HR Department)
Report Time: 2024-01-22 09:45 EST
Confidence: High (User commented: “Suspicious sender, not our IT team”)
Sender: payroll-update@hronboarding[.]net
Subject: ACTION REQUIRED: Your Payroll Direct Deposit Information Needs Verification
Received: Today, 09:30 AM
Email Body:
Dear Employee, The HR and Payroll Department has identified inconsistencies in your direct deposit information for the upcoming pay cycle. To ensure timely payment, you must verify and update your banking details immediately. Failure to update this information within 12 hours will result in: 1. Delayed salary payment 2. Manual check issuance (7-10 business days delay) 3. Administrative hold on your account CLICK HERE TO VERIFY YOUR DIRECT DEPOSIT INFORMATION: hxxps://payroll-verification-hr[.]com/secure/update?employee=asmith Note: This link is secure and will expire in 12 hours. You will need to enter your corporate credentials for verification. Sincerely, Corporate Payroll Department Human Resources
Initial Triage Observation: The domain hronboarding.net is not our corporate domain (companyhr.com). The extreme urgency (“12 hours”, “delayed salary”) targets financial anxiety. The request for corporate credentials on a non-corporate domain is a major red flag.
Analysis Process & Tools Used
| Step | Action | Tool(s) Used | Purpose & Findings |
|---|---|---|---|
| 1. Reception & Triage | Alert generated from PhishMe report. | Cofense Triage, Microsoft 365 Defender | Email quarantined automatically. SOC analyst notified via Splunk alert. User marked email correctly as phishing. |
| 2. Header & Metadata Analysis | Extract full email headers, SPF/DKIM/DMARC results. | Microsoft 365 Message Header Analyzer, MxToolbox | – Return-Path: bounce7823@bulkmailer[.]pro – SPF: FAIL (Sender IP not in companyhr.com SPF)– DKIM: PASS for hronboarding.net (spoofed)– DMARC: FAIL (Policy violation)– Source IP: 194.87.216[.]33 (Bulgaria, known phishing host) |
| 3. URL & Attachment Analysis | Analyze the embedded link without clicking. | URLScan.io, VirusTotal, Palo Alto WildFire | – URL: hxxps://payroll-verification-hr[.]com/secure/update – VirusTotal: 54/92 vendors flagged as phishing – URLScan.io: Page clones our actual HR portal login – Domain Age: 5 days old (registered via Namecheap) |
| 4. Credential Harvesting Analysis | Detonate URL in sandbox, analyze form behavior. | ANY.RUN, Browserling | Analysis confirms: 1) HR portal clone with company branding, 2) Captures username/password, 3) Immediately forwards to real HR portal (session hijacking attempt), 4) No malware download. |
| 5. Internal Threat Hunting | Check if others received this or visited the URL. | Proofpoint Email Gateway Logs, Splunk SIEM, Cisco Umbrella | – Email Campaign: Sent to 82 HR and Finance employees – Block Rate: 78 blocked at gateway, 4 delivered (including reporter) – Endpoint Checks: No hits for connections to malicious domain – Proxy Logs: No successful visits from corporate IPs |
| 6. Campaign Attribution | Check threat intelligence for similar campaigns. | Recorded Future, Cofense Intelligence, Microsoft Defender Threat Intelligence | Campaign matches TA554 (financial-themed phishing) with infrastructure overlap. Targets HR departments during payroll cycles. |
| 7. Containment & Remediation | Block threats, clean up delivered emails. | Proofpoint Email Security, Palo Alto Firewall, Microsoft 365 Security & Compliance | 1. Blocked sender domain and IP at email gateway 2. Added URL to DNS and web filter blocklists (Cisco Umbrella) 3. Purged all instances from mailboxes via Compliance Search 4. No endpoint remediation required |
| 8. User Notification & Awareness | Inform reporting user and vulnerable departments. | Jira Service Management, KnowBe4, Microsoft Teams | 1. Thanked user via email and security recognition program 2. Sent HR department security alert about payroll phishing 3. Updated security awareness training with this example |
Jira Analyst Comment
Jira Ticket: SOC-2024-022
Summary: Phishing: HR Payroll Verification Scam Reported via PhishMe
Status: Resolved
Resolution: Malicious - Credential Harvesting Attempt
Priority: P2 - Medium
Labels: phishing, credential-harvesting, HR-department, user-reported, financial-scam
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Reported By: User “asmith” from HR Department via PhishMe button.
- Email Subject: “ACTION REQUIRED: Your Payroll Direct Deposit Information Needs Verification”
- Targeted Technique: Credential Harvesting with Financial Social Engineering (Payroll theme).
2. Technical Analysis:
- Email Authentication: SPF Hard Fail, DMARC Fail. Confirmed domain spoofing attempt. The email originated from unauthorized infrastructure (Bulgarian IP).
- Sender Analysis: Spoofed display name “Corporate Payroll Department”. From domain
hronboarding[.]net(typo-squatting variant targeting HR). - Link Analysis:
- URL
hxxps://payroll-verification-hr[.]com/secure/updatewas analyzed via URLScan.io and ANY.RUN. - Hosts a high-fidelity clone of our corporate HR self-service portal.
- Captures entered credentials via POST to attacker-controlled server (
194.87.216[.]33/data/capture). - Implements session hijacking by forwarding users to legitimate HR portal post-capture.
- URL
- Campaign Impact: Email was sent to 82 employees in HR and Finance. Our email gateway (Proofpoint) blocked 78 based on reputation and SPF failure. Four copies reached inboxes due to graylisting delay; one was reported, three were deleted unopened.
3. Indicators of Compromise (IOCs) for Blocking
Type Indicator URL hxxps://payroll-verification-hr[.]com/secure/update Domain payroll-verification-hr[.]com Domain hronboarding[.]net IP Address 194.87.216[.]33 Subject ACTION REQUIRED: Your Payroll Direct Deposit Information Needs Verification
4. Actions Taken:
- Containment:
- Blocked IOCs at Firewall (Palo Alto) and DNS Filter (Cisco Umbrella).
- Added sender domains to global email blocklist (Proofpoint).
- Purged all remaining instances of this email from user mailboxes using Microsoft 365 Compliance Search (
New-ComplianceSearchAction -Purge).
- Investigation:
- Reviewed EDR (CrowdStrike) logs; no evidence of successful credential entry or endpoint compromise.
- Searched SIEM for authentication events from suspicious IPs; no matches.
- Checked HR portal logs for unusual login patterns from user “asmith”; none found.
- User Communication:
- The reporting user (asmith) has been thanked via personalized email and awarded 50 points in our security recognition program.
- A targeted security alert detailing this “payroll verification” scam has been sent to all HR and Finance department employees.
- This example has been added to the Q1 security awareness training module.
5. Conclusion & Recommendations:
- Conclusion: This was a targeted credential harvesting campaign exploiting payroll anxiety. The user’s timely report allowed us to contain the threat before any credentials were compromised. No breach occurred.
- Recommendations:
- Technical: Enable the “Impersonation Protection” feature in Proofpoint for HR and Finance department keywords (“payroll”, “direct deposit”, “salary”).
- Process: Implement a 24-hour delay on emails from domains registered less than 30 days ago when sent to financial departments.
- Training: Run a phishing simulation campaign with a payroll theme within the next 2 weeks to reinforce learning.
Ticket Closure Justification: All identified IOCs have been blocked across the security stack, the threat has been eradicated from the email environment, and no evidence of credential compromise exists. The reporting user has been recognized. This ticket can be closed.