WriteUp SOC101 - Phishing Mail Detected - EventID 8

September 9, 2020
WriteUp SOC101 - Phishing Mail Detected - EventID 8

First of all, I take a look at the alarms on the Monitoring page and choose one to review.

I selected the "Phishing mail detected" alarm and press the "+" button to view the details.

As seen in the device action section, the mail has reached the end user. I’m starting to investigate by forwarding the alarm to “Investigation Channel”.

To create a new case i clicked the "Create Case" button (>>) and it automatically created a new case in Case Management.

On the page that opens, I followed steps by clicking the "Start Playbook" button.


Step1- Parse Mail

I try to answer the questions

When was it sent? 

I can find the e-mail date by searching the SMTP address in Log Management.

What is the email’s SMTP address?
It is clearly seen in the alarm details that the SMTP address is

What is the sender address?
It is written in the alarm details that the sender's address is info@nexoiberica.com.

What is the recipient address?
In the alarm details, it says that the recipient's address is mark@letsdefend.io

Step2- Are there attachments or URLs in the email?

Yes, there is a Package.doc file.


Step3-Analyze Url/Attachment

I downloaded the "Package.doc" file by clicking on the file name. I uploaded the downloaded file to VirusTotal and AnyRun.

When I examine the outputs, it becomes clear that this file is malicious.

The file first downloads a malicious file from "http://qstride[.]com/img/0/" and then requests "67[.]68[.]210[.]95/sYRi1gXh/MT11zmUJJnEPL0yFBD/2eq2F/F9qzZD2wEYCCLpw/EJpn0u/"

AnyRun link: https://app.any.run/tasks/f16207fe-0981-45c0-9fdb-47e71d65df7a

Step4- Add artifacts

I added all the indicators I obtained as artifacts.

Step5 Delete mail

Since the mail is forwarded to the user ("Device Action: Allowed" in alarm details), we delete the mail from the user's inbox with the "Delete Mail" button.

Step 6- Check If Someone Opened the Malicios File/URL?

Since the mail is forwarded to the user, we need to check whether there is access to the c2 address we found in step 3. We can check whether there is access by typing the IP address ( we found in the search section on the Log Management page.

As you can see, the device with the IP address of "" made a request to the malicious address. Probably read the mail.


Step7- Containment

It would be correct to assume that this device has been compromised since we see that there is access to the malicious address as a result of the search. For this reason, we isolate the device with the help of the "Containment" button next to the relevant device from the Endpoint Security page.

And finished

Now I can turn off the alarm from the Monitoring page

In order to turn off the alarm, we need to specify whether it is True Positive or False Positive. After determining this, we turn off the alarm after entering a descriptive comment for the actions taken.

letsdefend description card

You might also be interested in ...

Start learning cybersecurity today