Proofpoint Alert Details
Alert ID: PROOFPOINT-INTERNAL-PHISH-1534-7842 Alert Time: 2024-02-25 10:30:22 EST Severity: CRITICAL (98/100) Source: Proofpoint Email Security Rule: “Internal Spearphishing – Compromised Account Sending Malicious Emails” MITRE ATT&CK: T1534 – Internal Spearphishing
Alert Details:
Detection: Compromised internal account sending phishing emails to other employees
Compromised Account: jwilson@company.com (John Wilson, IT Administrator) Recipients: 47 employees (Finance, HR, Executive) Time: 10:15-10:30 EST
Email Details:
From: jwilson@company.com (legitimate internal address)
Subject: “Urgent: IT Security Update – Action Required”
Body:
Dear Colleague,
IT Security has detected unusual activity on your account. To prevent lockout, you must verify your credentials immediately.
Click here to verify: https://company-portal-verify[.]net
Failure to verify within 2 hours will result in account suspension.
Thanks,
IT Security Team
Link: https://company-portal-verify[.]net (malicious domain)
Anomaly Detection:
Sender jwilson normally sends 5-10 emails/day (all IT-related)
Today: 47 emails in 15 minutes to non-IT recipients
Email content unusual (threat of account suspension)
Link domain suspicious (not legitimate company portal)
MIME headers show originating IP 185.143.221[.]89 (Bulgaria)
Additional Context:
jwilson’s account had suspicious login earlier (from Bulgaria)
Account likely compromised
Internal phishing used to bypass email filters (trusted sender)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Proofpoint alert
Proofpoint TAP Console
Confirmed internal spearphishing campaign
2. Account Compromise
Check jwilson account activity
Azure AD Sign-in Logs
Successful login from Bulgaria at 10:00 (no MFA)
3. Immediate Action
Disable jwilson account
Azure AD, Active Directory
Account disabled
4. Email Remediation
Quarantine all sent emails
Proofpoint, Exchange
All 47 emails removed from recipient inboxes
5. Recipient Notification
Alert affected users
Email, Teams
Users warned; no clicks reported (yet)
6. IP Blocking
Block attacker IP
Firewall, Conditional Access
IP 185.143.221[.]89 blocked
Jira Incident Report
Ticket: SOC-2024-130 Summary: T1534 – Internal Spearphishing via Compromised IT Admin Account Status: RESOLVED Resolution: MALICIOUS – Account Secured, Emails Removed Priority: P1 – CRITICAL Labels: T1534, internal-spearphishing, account-takeover, proofpoint, phishing Components: Email-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Proofpoint Email Security.
Alert: “Internal Spearphishing – Compromised Account Sending Malicious Emails”.
Compromised Account: jwilson@company.com (IT Administrator).
Recipients: 47 internal users (Finance, HR, Executive).
Time: 2024-02-25 10:30 EST.
Technique: MITRE ATT&CK T1534 – Internal Spearphishing.
2. Technical Analysis:
Attack Chain:
09:30 – jwilson receives phishing email (external)
09:35 – jwilson clicks link, enters credentials on fake Microsoft login
09:36 – Attacker logs into jwilson account from 185.143.221[.]89
09:45 – Attacker accesses Outlook Web App
10:00 – Attacker crafts phishing email using legitimate account
10:15-10:30 – Attacker sends 47 emails to internal users
10:30 – Proofpoint detects anomaly
10:32 – SOC investigates
Phishing Email Analysis:
From: jwilson@company.com (legitimate, trusted)
Subject: “Urgent: IT Security Update – Action Required”
Link: hxxps://company-portal-verify[.]net
Domain Details: Registered 2024-02-24, hosted on 185.143.221[.]89
Page: Fake company login page (credential harvester)
Attacker Infrastructure:
IP: 185.143.221[.]89 (Bulgaria)
Domain: company-portal-verify[.]net (now blocked)
Impact Assessment:
47 recipients; 12 opened email; 3 clicked link
No credentials entered (users reported suspicious)
No secondary compromise
3. Investigation Findings:
Timeline:
09:30 – jwilson phished
09:36 – Account compromised
10:00-10:30 – Internal phishing sent
10:30 – Proofpoint alert
10:32 – SOC investigates
10:34 – jwilson account disabled
10:35 – Emails quarantined
10:36 – Recipients notified
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– Malicious Domain: company-portal-verify[.]net
Email:
– From: jwilson@company.com
– Subject: “Urgent: IT Security Update – Action Required”
– Link: hxxps://company-portal-verify[.]net
Account:
– jwilson (compromised, now secured)
4. Containment Actions:
Immediate Actions:
Disabled jwilson account.
Quarantined all 47 emails from recipient mailboxes.
Reset jwilson password.
Enforced MFA.
Blocked attacker IP and domain at firewall and proxy.
Recipient Remediation:
Notified all 47 users.
Checked for credential entry (none).
Educated on internal phishing risks.
Infrastructure Takedown:
Reported domain to registrar (suspended).
5. Root Cause Analysis:
Primary Cause: IT admin account compromised via external phishing.
Contributing Factors:
No MFA on admin account.
User fell for credential harvesting.
Internal emails bypass external filtering (trusted sender).
6. Business Impact:
Operational Impact: IT admin offline for 2 hours.
Data Exposure: None (no secondary compromises).
Reputational Impact: Internal trust potentially affected.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Emails removed.
Recipients notified.
Infrastructure blocked.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented anomaly detection for internal email patterns.
Added banner to internal emails from IT indicating “official IT communications never ask for credentials”.
Enhanced email filtering for internal-originated phishing.
8. Conclusion:
An attacker compromised an IT admin’s account via external phishing and used it to send internal spearphishing emails to 47 employees, leveraging trust in internal sender. Proofpoint detected the anomalous sending pattern and enabled rapid containment. No secondary compromises occurred.
Closure Rationale: Account secured; emails removed; recipients notified.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 11:30 EST
End of Batch 18
Ready for your next batch of prompts whenever you are.
Batch 19: Lateral Movement & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.