Investigating Fake Emails | Letsdefend Walkthrough | Case SOC326
2 min readJan 6, 2025
Introduction
This post is a detailed walkthrough of a simulated cybersecurity incident investigation in a Security Operations Center (SOC) using letsdefend platform. Our investigation included handling the case SOC326 which involved malicious email activity.
Overview of the Letsdefend Platform
- The platform has three main alert channels: active alerts, investigation alerts, and closed alerts.
- Tools like log management, email security, and threat intelligence are available to assist in investigations.
Alert Analysis | Case SOC326
- The highlighted alert involves a suspected phishing campaign using an impersonated domain.
- The alert is triggered by a suspicious domain’s MX record change.
Steps in Investigation
- Initial Details: The domain impersonates the company, using typosquatting techniques to mimic legitimate emails.
- Email Analysis: Emails sent from the impersonated domain to employees are inspected. These emails contain links designed to lure recipients into clicking, leading to potential phishing forms or malware downloads.
- Endpoint Analysis: An endpoint’s browser history and network connections are reviewed to identify interactions with the suspicious domain.
Domain and URL Inspection
- Tools like VirusTotal and Anyrun are used to analyze the domain and its associated URLs. Although inactive, the domain’s structure and intent classify it as malicious.
Key Findings
- The domain’s use of typosquatting techniques for phishing is confirmed as malicious, even though it is currently inactive.
- Employee interactions with the phishing email are investigated for potential compromise.
Final Recommendations
- Include findings in the case report.
- Highlight the potential risks associated with the inactive domain becoming active later for future campaigns.
- Educate employees on recognizing and avoiding phishing attempts.
