search

SOC140

  1. SOC140 - Phishing Email Detected - Suspicious Task Scheduler

  1. Checking the content of email message, downloading file on sandbox and checking hash of file.

  1. Results from VirusTotal.

  1. On the sanbox, we can open malicious pdf file and check how it looks.

As we see, document is specially blurred to click on it for zoom it, when we clicked, a malicious website opens:

Checking website:

  1. Back to the laboratory, and checking activity of user which received malicious email.

The user opened adobe reader, so we may suspect that he opens a malicious file, now we have to check Log Management and isolate user from the network.

  1. Checking suspicious IP address.

  1. The email came from a domain: carleton.ca, we need to check it.

Checking IP address of email server.

WHOIS results:

  1. When we collect all the information in one piece, we can see that email address which user get the email has been spoofed.

Closing alert:

Last updated