Proofpoint Alert Details
Alert ID: PROOFPOINT-PHISH-INFO-7842
Alert Time: 2024-02-10 10:15:22 EST
Severity: HIGH (82/100)
Source: Proofpoint Targeted Attack Protection (TAP)
Rule: “Credential Phishing Attempt Detected”
MITRE ATT&CK: T1598 – Phishing for Information
Alert Details:
Email Analysis Report:
Sender: noreply@adp-payroll[.]net
Reply-To: support@payroll-verify[.]com
Subject: “ACTION REQUIRED: Your Q1 Payroll Statement Requires Verification”
Recipients: 47 employees (Finance, HR, Executive)
Time: 2024-02-10 10:05 EST
Email Headers:
– Return-Path: bounce@mailing-service[.]ru
– SPF: FAIL (sender IP 185.143.221[.]45 not authorized)
– DKIM: none
– DMARC: FAIL
– X-Originating-IP: 185.143.221[.]45
Email Body:
“Dear Employee,
Our records indicate that your Q1 payroll statement contains discrepancies that require immediate verification. Failure to verify within 24 hours will result in delayed salary processing.
Please click the link below to access your statement and verify your information:
https://adp-verify-portal[.]com/secure/statement
This is a secure link that expires in 24 hours.
Thank you,
ADP Payroll Services”
URL Analysis:
– Domain: adp-verify-portal[.]com
– Registration: 2024-02-09 (1 day ago)
– Registrar: Namecheap
– Hosting IP: 185.143.221[.]45 (Bulgaria)
– URLScan.io: Phishing page mimicking ADP login
– VirusTotal: 48/94 vendors flag as malicious
Attachment: None (link-based phishing)
Threat Intelligence:
– Domain pattern matches known payroll phishing campaign
– IP 185.143.221[.]45 associated with TA569 (credential harvesting)
– Similar emails targeting finance/HR departments nationwide
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify email analysis in Proofpoint
Proofpoint TAP Console
Confirmed malicious phishing email
2. URL Analysis
Investigate phishing domain
URLScan.io, VirusTotal
Domain hosts ADP credential harvester
3. Recipient Identification
Identify all targeted users
Proofpoint Logs, AD
47 users in Finance, HR, Exec teams
4. Email Remediation
Quarantine and remove emails
Proofpoint, Exchange Online
All 47 emails quarantined; purged from inboxes
5. User Notification
Alert targeted users
Email, Teams, Phone
All users notified; no clicks reported
6. Infrastructure Blocking
Block domain and IP
Palo Alto, Cisco Umbrella
Domain and IP added to blocklists
Jira Incident Report
Ticket: SOC-2024-050
Summary: T1598 – Payroll-Themed Credential Phishing Campaign
Status: RESOLVED
Resolution: MALICIOUS – Phishing Blocked
Priority: P2 – MEDIUM
Labels: T1598, phishing, credential-harvesting, payroll, proofpoint
Components: Email-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Proofpoint Targeted Attack Protection (TAP).
Alert: “Credential Phishing Attempt Detected”.
Targets: 47 employees (Finance, HR, Executive).
Time: 2024-02-10 10:15 EST.
Technique: MITRE ATT&CK T1598 – Phishing for Information.
2. Technical Analysis:
Email Details:
Sender: noreply@adp-payroll[.]net (spoofed)
Subject: “ACTION REQUIRED: Your Q1 Payroll Statement Requires Verification”
Theme: Payroll discrepancy requiring immediate action
Social Engineering: Urgency (“24 hours”), authority (ADP branding)
Infrastructure Analysis:
Domain: adp-verify-portal[.]com (registered 2024-02-09)
IP: 185.143.221[.]45 (Bulgaria VPS)
Hosting: Fake ADP login page with credential harvesting
SSL: Let’s Encrypt certificate issued to “ADP Portal”
Email Authentication:
SPF: FAIL (sender not authorized)
DKIM: none
DMARC: FAIL
Confirmed spoofing attempt
Campaign Impact:
47 internal recipients
All emails quarantined within 10 minutes of delivery
Zero user clicks reported
No credentials compromised
3. Investigation Findings:
Timeline:
10:05 – Email delivered to 47 users
10:08 – Proofpoint TAP analyzes and flags as malicious
10:10 – Email automatically quarantined
10:15 – SOC alert generated
10:18 – Investigation begins
10:25 – All users notified
10:30 – Domain/IP added to blocklists
10:35 – Takedown request submitted
Indicators of Compromise (IoCs):
Email:
– Sender: noreply@adp-payroll[.]net
– Subject: “ACTION REQUIRED: Your Q1 Payroll Statement Requires Verification”
Network:
– Domain: adp-verify-portal[.]com
– IP: 185.143.221[.]45
– URL: hxxps://adp-verify-portal[.]com/secure/statement
4. Containment Actions:
Immediate Remediation (10:15-10:30 EST):
All 47 emails quarantined via Proofpoint.
Purged from user inboxes using Exchange Online.
Domain and IP blocked at firewall and DNS.
URL added to web proxy blocklist.
User Notification (10:25-10:45 EST):
All 47 users contacted via email and Teams.
Confirmed no users clicked the link.
Security awareness reminder sent to department.
Takedown Request (10:35 EST):
Reported to Namecheap abuse.
Reported to hosting provider.
Domain suspended within 24 hours.
5. Root Cause Analysis:
Primary Cause: External attacker conducting payroll-themed phishing campaign.
Contributing Factors:
Employees are frequent targets of payroll-themed attacks.
Spoofed domain closely mimics legitimate ADP communications.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (no clicks, no credentials compromised).
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
All malicious emails removed.
Infrastructure blocked.
Users notified and educated.
Takedown requests submitted.
Prevention Enhancements:
Enhanced Proofpoint rules for payroll-themed emails.
Added “ADP” and “payroll” keywords to impersonation protection.
Scheduled department-specific phishing simulation.
8. Conclusion:
This incident involved a targeted payroll-themed phishing campaign attempting to harvest employee credentials. Proofpoint’s detection and automated quarantine prevented any user interaction. No compromise occurred.
Closure Rationale: Phishing blocked; no user compromise; infrastructure taken down.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 11:30 EST