First of all, I take a look at the alarms on the Monitoring page and choose one to review.
I selected the "Phishing mail detected" alarm and press the "+" button to view the details.
As seen in the device action section, the mail has reached the end user. I’m starting to investigate by forwarding the alarm to “Investigation Channel”.
To create a new case i clicked the "Create Case" button (>>) and it automatically created a new case in Case Management.
On the page that opens, I followed steps by clicking the "Start Playbook" button.
I try to answer the questions
When was it sent?
I can find the e-mail date by searching the SMTP address in Log Management.
What is the email’s SMTP address?
It is clearly seen in the alarm details that the SMTP address is 63.35.133.186.
What is the sender address?
It is written in the alarm details that the sender's address is info@nexoiberica.com.
What is the recipient address?
In the alarm details, it says that the recipient's address is mark@letsdefend.io
Yes, there is a Package.doc file.
I downloaded the "Package.doc" file by clicking on the file name. I uploaded the downloaded file to VirusTotal and AnyRun.
When I examine the outputs, it becomes clear that this file is malicious.
The file first downloads a malicious file from "http://qstride[.]com/img/0/" and then requests "67[.]68[.]210[.]95/sYRi1gXh/MT11zmUJJnEPL0yFBD/2eq2F/F9qzZD2wEYCCLpw/EJpn0u/"
AnyRun link: https://app.any.run/tasks/f16207fe-0981-45c0-9fdb-47e71d65df7a
I added all the indicators I obtained as artifacts.
Since the mail is forwarded to the user ("Device Action: Allowed" in alarm details), we delete the mail from the user's inbox with the "Delete Mail" button.
Since the mail is forwarded to the user, we need to check whether there is access to the c2 address we found in step 3. We can check whether there is access by typing the IP address (67.68.210.95) we found in the search section on the Log Management page.
As you can see, the device with the IP address of "172.148.17.14" made a request to the malicious address. Probably read the mail.
It would be correct to assume that this device has been compromised since we see that there is access to the malicious address as a result of the search. For this reason, we isolate the device with the help of the "Containment" button next to the relevant device from the Endpoint Security page.
And finished
Now I can turn off the alarm from the Monitoring page
In order to turn off the alarm, we need to specify whether it is True Positive or False Positive. After determining this, we turn off the alarm after entering a descriptive comment for the actions taken.
