“ SOC120 — Phishing Mail Detected — Internal to Internal ” investigation

Hello, today I will write about investigation of “SOC120 — Phishing Mail Detected — Internal to Internal” alarm from letdefend.io.

The alert is appears in our investigation channel. After that, we proceed to build the case.

Let’s start the playbook.

The first step is to ‘Parse Email’ and gather information about the incoming email. The alert itself contains the majority of the information:

§ The alarm was triggered as medium severity at 16:24(4.24 a.m.) on 7 Feb 2021.

§ The SMTP IP address of the user who sent the mail is seen as “172.16.20.3”.

§ The e-mail that caused the alarm was sent from “john@ letsdefend.io” to “susie@letsdefend.io” with “Meeting” subject information.

§ As the device action shows as “Allowed”, we can understand that the mail has reached the user.

Here is the content of the email:

As we see that email doesn’t contains any attachments or URLs. Well, how could it be phishing?!

So, we are going to create case:

Before completing the case, we continue by adding the findings we found during the review phase to close it.

Summary: