Proofpoint Alert Details
Alert ID: PROOFPOINT-PHISH-INFO-7842
Alert Time: 2024-02-10 10:15:22 EST
Severity: HIGH (82/100)
Source: Proofpoint Targeted Attack Protection (TAP)
Rule: “Credential Phishing Attempt Detected”
MITRE ATT&CK: T1598 – Phishing for Information
Alert Details:
Email Analysis Report:
Sender: noreply@adp-payroll[.]net
Reply-To: support@payroll-verify[.]com
Subject: “ACTION REQUIRED: Your Q1 Payroll Statement Requires Verification”
Recipients: 47 employees (Finance, HR, Executive)
Time: 2024-02-10 10:05 EST
Email Headers:
– Return-Path: bounce@mailing-service[.]ru
– SPF: FAIL (sender IP 185.143.221[.]45 not authorized)
– DKIM: none
– DMARC: FAIL
– X-Originating-IP: 185.143.221[.]45
Email Body:
“Dear Employee,
Our records indicate that your Q1 payroll statement contains discrepancies that require immediate verification. Failure to verify within 24 hours will result in delayed salary processing.
Please click the link below to access your statement and verify your information:
This is a secure link that expires in 24 hours.
Thank you,
ADP Payroll Services”
URL Analysis:
– Domain: adp-verify-portal[.]com
– Registration: 2024-02-09 (1 day ago)
– Registrar: Namecheap
– Hosting IP: 185.143.221[.]45 (Bulgaria)
– URLScan.io: Phishing page mimicking ADP login
– VirusTotal: 48/94 vendors flag as malicious
Attachment: None (link-based phishing)
Threat Intelligence:
– Domain pattern matches known payroll phishing campaign
– IP 185.143.221[.]45 associated with TA569 (credential harvesting)
– Similar emails targeting finance/HR departments nationwide
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify email analysis in Proofpoint | Proofpoint TAP Console | Confirmed malicious phishing email |
| 2. URL Analysis | Investigate phishing domain | URLScan.io, VirusTotal | Domain hosts ADP credential harvester |
| 3. Recipient Identification | Identify all targeted users | Proofpoint Logs, AD | 47 users in Finance, HR, Exec teams |
| 4. Email Remediation | Quarantine and remove emails | Proofpoint, Exchange Online | All 47 emails quarantined; purged from inboxes |
| 5. User Notification | Alert targeted users | Email, Teams, Phone | All users notified; no clicks reported |
| 6. Infrastructure Blocking | Block domain and IP | Palo Alto, Cisco Umbrella | Domain and IP added to blocklists |
Jira Incident Report
Ticket: SOC-2024-050
Summary: T1598 – Payroll-Themed Credential Phishing Campaign
Status: RESOLVED
Resolution: MALICIOUS – Phishing Blocked
Priority: P2 – MEDIUM
Labels: T1598, phishing, credential-harvesting, payroll, proofpoint
Components: Email-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Proofpoint Targeted Attack Protection (TAP).
- Alert: “Credential Phishing Attempt Detected”.
- Targets: 47 employees (Finance, HR, Executive).
- Time: 2024-02-10 10:15 EST.
- Technique: MITRE ATT&CK T1598 – Phishing for Information.
2. Technical Analysis:
- Email Details:
- Sender: noreply@adp-payroll[.]net (spoofed)
- Subject: “ACTION REQUIRED: Your Q1 Payroll Statement Requires Verification”
- Theme: Payroll discrepancy requiring immediate action
- Social Engineering: Urgency (“24 hours”), authority (ADP branding)
- Infrastructure Analysis:
- Domain: adp-verify-portal[.]com (registered 2024-02-09)
- IP: 185.143.221[.]45 (Bulgaria VPS)
- Hosting: Fake ADP login page with credential harvesting
- SSL: Let’s Encrypt certificate issued to “ADP Portal”
- Email Authentication:
- SPF: FAIL (sender not authorized)
- DKIM: none
- DMARC: FAIL
- Confirmed spoofing attempt
- Campaign Impact:
- 47 internal recipients
- All emails quarantined within 10 minutes of delivery
- Zero user clicks reported
- No credentials compromised
3. Investigation Findings:
- Timeline:
10:05 – Email delivered to 47 users
10:08 – Proofpoint TAP analyzes and flags as malicious
10:10 – Email automatically quarantined
10:15 – SOC alert generated
10:18 – Investigation begins
10:25 – All users notified
10:30 – Domain/IP added to blocklists
10:35 – Takedown request submitted
- Indicators of Compromise (IoCs):
Email:
– Sender: noreply@adp-payroll[.]net
– Subject: “ACTION REQUIRED: Your Q1 Payroll Statement Requires Verification”
Network:
– Domain: adp-verify-portal[.]com
– IP: 185.143.221[.]45
– URL: hxxps://adp-verify-portal[.]com/secure/statement
4. Containment Actions:
- Immediate Remediation (10:15-10:30 EST):
- All 47 emails quarantined via Proofpoint.
- Purged from user inboxes using Exchange Online.
- Domain and IP blocked at firewall and DNS.
- URL added to web proxy blocklist.
- User Notification (10:25-10:45 EST):
- All 47 users contacted via email and Teams.
- Confirmed no users clicked the link.
- Security awareness reminder sent to department.
- Takedown Request (10:35 EST):
- Reported to Namecheap abuse.
- Reported to hosting provider.
- Domain suspended within 24 hours.
5. Root Cause Analysis:
- Primary Cause: External attacker conducting payroll-themed phishing campaign.
- Contributing Factors:
- Employees are frequent targets of payroll-themed attacks.
- Spoofed domain closely mimics legitimate ADP communications.
6. Business Impact:
- Operational Impact: None.
- Data Exposure: None (no clicks, no credentials compromised).
- Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
All malicious emails removed.
Infrastructure blocked.
Users notified and educated.
Takedown requests submitted.
Prevention Enhancements:
Enhanced Proofpoint rules for payroll-themed emails.
Added “ADP” and “payroll” keywords to impersonation protection.
Scheduled department-specific phishing simulation.
8. Conclusion:
This incident involved a targeted payroll-themed phishing campaign attempting to harvest employee credentials. Proofpoint’s detection and automated quarantine prevented any user interaction. No compromise occurred.
Closure Rationale: Phishing blocked; no user compromise; infrastructure taken down.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 11:30 EST