Investigation #8
In review
2023-12-12 18:02:04
Executive summary
The investigation concluded that the email sent from admin@thisisraelcompany.com with a subject related to a password policy update is malicious due to a confirmed malicious URL contained within the email body. The sender's domain and the company claimed in the email did not match, and the URL did not correspond to an official Microsoft service, which is indicative of phishing. The attachment named "image.png" and the domain storage.googleapis.com were found to be non-malicious.
ConclusionMalicious
Immediate action should be taken to mitigate the risks and secure the affected systems.
Findings
Evidence lockerEmail summary[+]
Evidence
Email Content Suggests Phishing Strategies[+]
Evidence
Email sender's domain does not match claimed company[+]
Artifact
admin@thisisraelcompany.com
Evidence
Email Claims to be from Company, URL Mismatch[+]
Evidence
File image.png Deemed Non-Malicious[+]
Artifact
94255f14bea62afe7b16d5e8de4540a4
Evidence
Domain storage.googleapis.com is not malicious[+]
Artifact
storage.googleapis.com
URL Deemed Malicious by Multiple Security Vendors[+]
Artifact
https://storage.googleapis.com/trap4ou01/t01trxin.html#/4KZHcO8785fUEm27jdqrqaybgy597CDMMRZZOZAYQZPQ40036/748i16
Recommended remediations
The SOC and IR teams should immediately block the malicious URL at the network perimeter to prevent further access and investigate whether any users have clicked on the link, potentially compromising their credentials. They should also revoke any sessions initiated through the link and reset passwords for affected accounts.
The teams should analyze the non-malicious attachment for any hidden payloads or exploits that may not have been initially detected and ensure that email filtering solutions are updated to recognize and block similar phishing attempts in the future. Additionally, they should conduct a review of current email security policies and user training programs to improve the organization's resilience against phishing attacks.