SOC140 — Phishing Mail Detected — Suspicious Task Scheduler|LetsDefend

In this brief investigation, we’ll walk through a detected phishing attempt to understand the steps taken to uncover the threat. Our story begins with an alert on March 21, 2021, indicating a suspicious email with the subject “COVID19 Vaccine.”

Figure 1-Alert Report

The alert flagged an email from aaronluo@cmail.carleton.ca, sent to marked@letsdefend.io. The email, originating from 189.162.189.159, was blocked due to its suspicious nature.

1. Email Security

First let’s go to the Email Security tab and search for the email aaronluo@cmail.carleton.ca .

Figure 2- Emails

The search reveals three emails sent to different recipients, each with suspicious file attachments. The email titled “COVID19 Vaccine” is selected for further inspection.

2. Suspicious Email Analysis

The email raises red flags. The urgency in the subject, “COVID19 Vaccine,” and the message urging immediate action (“Open it now!”) are classic phishing tactics. Including a password in the email (“infected”) is highly unusual and not a standard practice.

Figure 3 — suspicious email

3. File Analysis

Using the hash “72c812cf21909a48eb9cceb9e04b865d” on Virus Total, the results revealed that 21 security vendors flagged this file as a malicious and most of them labelled it as trojan. This reinforces the suspicion raised during the initial investigation.

A Trojan Horse Virus is a type of malware that downloads onto a computer disguised as a legitimate program. (Fortinet)

Figure 4- Virus Total Result

To make our detective work even stronger, we’re also going to use Hybrid Analysis on the file hash.

Figure 5- Hybrid Analysis results

the file with the hash “72c812cf21909a48eb9cceb9e04b865d” was also identified as malicious. Both Virus Total and Hybrid Analysis independently confirmed the nature of the file, providing a solid basis for considering it a potential threat.

4. Finding Where the Email Went

Even though we know who sent the email and who was supposed to get it, we don’t know where it went exactly. To figure that out, we need to check some records. Let’s go to the Log Management page and look for the sender’s address, which is 189.162.189.159.

Figure 6-Log record

The destination IP is 172.16.20.3 and the port 25

8. Endpoint Security

Now, let’s see what happened on the computer that was supposed to get the phishing email. Let’s use the IP address we found earlier from the Log Management page to look for more information.

Figure 7 — Destination Machine

After looking into it, we find out that the computer’s destination was the MS Exchange Server.

Now, we want to dig deeper. We’ll check the history of processes and commands on the computer to see if anything weird or suspicious happened.

Figure 8- process History

Figure 9 — Terminal History

The search revealed no suspicious activities. This was expected as the email had already been blocked.

9. Playbook Answers

• Attachments or URLs? Yes, a suspicious file was attached.
• Analyzing URL/Attachment? The attachment was confirmed as malicious.
• Mail Delivered to User? No, the mail was blocked.

Conclusion

With all the evidence gathered, the case was closed, confirming the alert as a true positive.

This investigation emphasizes the importance of vigilance against phishing attempts and the need for multiple layers of security to safeguard against evolving threats.