Manual Checks for Email Security Threats

𝐘𝐨𝐮'𝐫𝐞 𝐚 𝐒𝐎𝐂 𝐚𝐧𝐚𝐥𝐲𝐬𝐭, 𝐫𝐢𝐠𝐡𝐭? 𝐇𝐨𝐰 𝐰𝐨𝐮𝐥𝐝 𝐲𝐨𝐮 𝐡𝐚𝐧𝐝𝐥𝐞 𝐏𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐄𝐦𝐚𝐢𝐥? Here are the key steps to investigate: 1. First check how many users have received this email. It’ll help you to understand the impact of the attack. 2. Check the source, destination, and any associated indicators of compromise (IOCs). 3. Examine the email headers to verify the sender’s authenticity. Look for sender domain, subject of the email, Return-Path, Received, SPF, DKIM, and DMARC checks. NOTE: The two things that matter the most are the domain name and IP address in the “Received” field and the validation results in the Received-SPF field. 4. Review the email content for phishing indicators such as urgent language, suspicious links, and requests for sensitive information. 5. Scan the attachment using antivirus tools and sandbox environments to detect any malicious payloads. 6. Review the user’s recent activity for any signs of compromise, such as unusual login attempts or data access patterns. 7. Look for other alerts that might be related to the same source or destination IP. This can help in understanding if the attack is part of a larger campaign. 8. Examine the alerts triggered before and after this alert. 9. Compare the current alert/scenario with historical data to identify any anomalies. 𝐋𝐨𝐠𝐬 𝐰𝐞 𝐧𝐞𝐞𝐝 𝐭𝐨 𝐜𝐡𝐞𝐜𝐤 𝐟𝐨𝐫 𝐬𝐮𝐜𝐡 𝐢𝐧𝐜𝐢𝐝𝐞𝐧𝐭𝐬: 1. Email Gateway/Server Logs: These logs provide details about the email’s path, including sender and recipient information, timestamps, and any filtering actions taken. They help verify the authenticity of the email and identify any malicious attachments or links. 2. Endpoint Security Logs: These logs from antivirus or endpoint detection and response (EDR) tools on the user’s device can reveal if the attachment was opened and if any malicious activity occurred as a result. 3. Authentication Logs: Logs from authentication systems (e.g., Active Directory) can help determine if there were any unauthorized access attempts or unusual login patterns associated with the user’s account. 4. Web Proxy Logs: These logs can show if the user clicked on any links in the phishing email and what websites were accessed as a result. 𝐌𝐢𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧 𝐒𝐭𝐞𝐩𝐬: 1. If the email or attachment is confirmed malicious & user clicked on the attachment, isolate the affected systems to prevent further spread. 2. Run anti-malware scan. 3. Update email filters and firewall rules to block the sender’s IOCs. 4. Implement additional security measures, such as enhanced email filtering, user training, and multi-factor authentication. 5. Educate user about such phishing emails. Feel free to share your thoughts—I’d love to hear them! #CyberSecurity #IncidentResponse #SOC #Phishing

A Phishing Pandemic on the Horizon ⚡ Last Friday, I was targeted by a phishing attack from what appeared to be a trusted source — a Tier 1 bank, no less. (Snapshot below) At first glance, everything seemed legitimate. But, as someone with a zero-trust mindset, I knew to dig deeper, and red flags quickly emerged: 🚨 Red Flag #1: Sender's Address
The email was from a "Zoom" domain (no-reply@zoom.us) but bizarrely carried the bank's official name. This mismatch between the sender's address and the supposed source is a classic phishing tactic designed to deceive. 🚨 Red Flag #2: Suspicious Links! 
A link for calendar integration seemed innocent, but I didn't trust it. My curiosity led me to run a technical analysis in a sandbox environment. Interestingly, a webinar scheduled for 8 am suddenly shifted to 3 am the next day. Though it redirected to Zoom’s official site, I remained cautious and didn’t proceed with the download. 🚨 Red Flag #3: Spelling Mistakes
Misspelled words and rushed edits added to the suspicion. Professional institutions usually have tight quality controls, so this was another indicator. My takeaway? Be Paranoid about "Digital Trust". 🧐 🔑 Here’s how you can stay safe: 
1️⃣ Check the Sender's Email Address: Always ensure the email domain matches the organization. Look out for subtle differences.
 2️⃣ Hover Over Links Before Clicking: Reveal the URL by hovering over links. If something seems off, it probably is.
 3️⃣ Be Wary of Attachments: Confirm with the sender through another communication channel before opening any attachments.
 4️⃣ Spot the Language and Content Red Flags: Be cautious of generic greetings, vague language, and grammatical errors. 💼 Recommendations for Businesses:
 🔒 Email Filtering & Security: Implement tools to detect and block phishing before it hits the inbox.
 👥 Employee Training: Regularly train your team to spot phishing and practice safe email habits.
 🔐 Multi-Factor Authentication (MFA): Add an extra layer of security to safeguard against potential breaches. Have you been targeted by a phishing attack? Looking forward to your comments and contributions.

For SOC/Cyber Security enthusiastic Email Phishing Analysis: When a suspicious email is reported to the security team, what analysis will you perform as a SOC Analyst: 1. Sender and Domain Analysis - Verify the Sender’s Email ID and Domain. - Check the domain reputation using tools like: - VirusTotal - MXToolbox - IPVoid - Analyze domain details: - Registration date - Owner information 2. Subject Line Analysis - Examine the subject line to determine the intent of the email: - Phishing - Social engineering - Promotional content 3. Email Body Analysis - Look for Indicators of Compromise (IOCs), such as: - Urgency Tactics: Example: "Reset your account within an hour, or it will be disabled." - Phishing URLs: Embedded URLs (e.g., within an “unsubscribe” button) designed to mislead users. - Check the reputation of such URLs using trusted tools. - Attachments: - Analyze suspicious attachments in a sandbox to detect malicious behavior. - Avoid uploading attachments to public repositories like VirusTotal to prevent attackers from detecting the investigation and potentially bypassing detection mechanisms. 4. Email Header Analysis - Obtain the email header from the email properties. - Perform header analysis: - Use MXToolbox: - Select “Header Analysis.” - Paste the header and submit for a detailed report. - Verify SPF, DKIM, and DMARC statuses. 5. SPF, DKIM, and DMARC Verification/Pass - SPF (Sender Policy Framework) - Authentication protocol specifying which IP addresses are authorized to send emails for a domain. - SPF Alignment**: If the "From" field matches the "Return-Path" field, SPF alignment passes; otherwise, it fails. - SPF Authentication: If the sender’s IP is authorized to send on behalf of the domain, SPF authentication passes; otherwise, it fails. 6. Mail Gateway Analysis - Review fields like: - From - To - Return-Path - Subject Line - Message ID - Verify how many users received the email from the same domain/email ID. - Export email details for documentation. 7. Reporting and Mitigation - Document: - Analysis details - Findings - IOCs (Indicators of Compromise) - GTI (Global Threat Intelligence) details - Share the findings with relevant teams. - Coordinate with Network/IT/Admin teams to: - Block the malicious email, domain, IP, and hash. #cybersecurity #cybersecurityenthusiastic #SOC #cyberstudents

HOW TO INVESTIGATE PART 1 🔍 Phishing Emails Alert: 1- Check Email Headers (SPF, DKIM, Message-ID, Sender && Return-path) 2- Inspect Email content 3- Verify SMTP IP in Virustotal, AbuseIPDB, X-Force, Talos intelligence 4- Investigate Attachments at Virustotal, urlscan, Any.run, joesandbox, Hybrid-Analysis ↪ Note: If Attachment is a domain, check registration time 5- Confirm if the user opened the Attachment ✍ https://lnkd.in/dfscKs4n ✍ https://lnkd.in/dSMs5Tqx ✍ https://lnkd.in/d5sXYis3 ✍ https://lnkd.in/d3VS3trE. 🦠 Malware Investigation: 1- Check File hash in threat intelligence 2- AV Action, ensure not deleted/cleaned/quarantined; create L2 ticket if needed 3- Examine File path to determine device infection source 4- Check Malware category - Contact user for known results like Ransomware ✍ https://lnkd.in/dpZdSziE ✍ https://lnkd.in/dBevZUmj 🤖 Brute Force Analysis: 1- Determine login operation origin (local or remote) by checking Source IP 2- Inspect destination IP/Service to identify targeted service 3- Review Logon Type to understand login method 4- Analyze Login Failure Reason to verify user legitimacy 5- Check IDS/IPS & WAF Logs for automation tool usage 6- Confirm successful or unsuccessful login ⚔ DoS/DDoS Attack Alert: 1- Check source IP(s) to determine local or remote origin ↪Note: If remote, check threat intelligence; if local, create L2 ticket to check the host 2- Verify if Destination IP still operational manually 3- Run "netstat -an" command for strange connections 4- Run ping command to detect dropped packets ✍ DDOS: https://lnkd.in/eQ7zZzVt ✍ MaliciousNetworkBehaviour: https://lnkd.in/ewVZy2cs 🚫 Proxy Logs Investigation (Communication to bad IP/domain): 1- Check Proxy Category to determine domain type 2- Review device action 3- Examine Destination IP/domain at AbuseIPDB, Virustotal, urlscan ↪Note: For a domain, check registration time 4- Confirm Destination Port 5- Check User-agent 6- Verify Bytes Sent && Bytes Received 7- Inspect request method 8- Scrutinize Referer Header 9- Validate Content-Type Header ↪Note: Detection also possible through SIEM Graph 📊 Windows Event Log Analysis (Login & Logout): 1- Check event id/name 2- Verify login type to understand login method 3- Confirm workstation for DNS Name 4- Review status and sub-status for failure ✍ https://lnkd.in/dpVJRJmY ✍ https://lnkd.in/d7ABVqjw ✍ https://lnkd.in/dgJfKpz2 🛑 Unknown Process Installation Investigation: 1- Check process name for anomalies 2- Examine process id to identify parent or child process ↪Note: If a child process, check creator process id to identify the parent process 3- Confirm creator process name to determine the process path 4- Check process hash in threat intelligence 5- Verify token elevation to understand the user's app privilege #socanalyst #soc #blueteam #cyberdefense #securityanalyst #securityoperationscenter

Investigating Cyber Threats - Playbooks for the L1 SOC Analysts 🔍 Phishing Emails Alert: 1- Heck Email Headers (SPF, DKIM, Message-ID, Sender && Return-path) 2- Inspect Email content 3- Verify SMTP IP in Virustotal, AbuseIPDB, X-Force, Talos intelligence 4- Investigate Attachments at Virustotal, urlscan, Any.run, joesandbox, Hybrid-Analysis ↪️ Note: If the Attachment is a domain, check registration time 5- Confirm if the user opened the Attachment ✍ https://lnkd.in/dfscKs4n ✍ https://lnkd.in/dSMs5Tqx ✍ https://lnkd.in/d5sXYis3 ✍ https://lnkd.in/d3VS3trE. 🦠 Malware Investigation: 1- Check File hash in threat intelligence 2- AV Action, ensure not deleted/cleaned/quarantined; create L2 ticket if needed 3- Examine File path to determine device infection source 4- Check Malware category - Contact user for known results like Ransomware ✍ https://lnkd.in/dpZdSziE ✍ https://lnkd.in/dBevZUmj 🤖 Brute Force Analysis: 1- Determine login operation origin (local or remote) by checking Source IP 2- Inspect destination IP/Service to identify targeted service 3- Review Logon Type to understand login method 4- Analyze Login Failure Reason to verify user legitimacy 5- Check IDS/IPS & WAF Logs for automation tool usage 6- Confirm successful or unsuccessful login ⚔️ DoS/DDoS Attack Alert: 1- Check source IP(s) to determine local or remote origin ↪️Note: If remote, check threat intelligence; if local, create L2 ticket to check the host 2- Verify if Destination IP is still operational manually 3- Run "netstat -an" command for strange connections 4- Run ping command to detect dropped packets ✍ DDOS: https://lnkd.in/eQ7zZzVt ✍ MaliciousNetworkBehaviour: https://lnkd.in/ewVZy2cs 🚫 Proxy Logs Investigation (Communication to bad IP/domain): 1- Check the Proxy Category to determine the domain type 2- Review device action 3- Examine Destination IP/domain at AbuseIPDB, Virustotal, urlscan ↪️Note: For a domain, check registration time 4- Confirm Destination Port 5- Check User-agent 6- Verify Bytes Sent && Bytes Received 7- Inspect request method 8- Scrutinize Referer Header 9- Validate Content-Type Header ↪️Note: Detection also possible through SIEM Graph 📊 Windows Event Log Analysis (Login & Logout): 1- Check event id/name 2- Verify login type to understand the login method 3- Confirm workstation for DNS Name 4- Review status and sub-status for failure ✍ https://lnkd.in/dpVJRJmY ✍ https://lnkd.in/d7ABVqjw ✍ https://lnkd.in/dgJfKpz2 🛑 Unknown Process Installation Investigation: 1- Check process name for anomalies 2- Examine process ID to identify the parent or child process ↪️Note: If a child processes, check the creator process ID to identify the parent process 3- Confirm the creator process name to determine the process path 4- Check process hash in threat intelligence 5- Verify token elevation to understand the user's app privilege For more content - https://lnkd.in/d2pYU-84 #CyberSecurity #SOC #ThreatInvestigation

𝐈𝐧𝐯𝐞𝐬𝐭𝐢𝐠𝐚𝐭𝐢𝐧𝐠 𝐂𝐲𝐛𝐞𝐫 𝐓𝐡𝐫𝐞𝐚𝐭𝐬: 𝐏𝐥𝐚𝐲𝐛𝐨𝐨𝐤𝐬 𝐟𝐨𝐫 𝐋1 𝐒𝐎𝐂 𝐀𝐧𝐚𝐥𝐲𝐬𝐭𝐬 🔍 𝐏𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐄𝐦𝐚𝐢𝐥𝐬 𝐀𝐥𝐞𝐫𝐭: 1- Heck Email Headers (SPF, DKIM, Message-ID, Sender && Return-path) 2- Inspect Email content 3- Verify SMTP IP in Virustotal, AbuseIPDB, X-Force, Talos intelligence 4- Investigate Attachments at Virustotal, urlscan, Any.run, joesandbox, Hybrid-Analysis ↪️ Note: If Attachment is a domain, check registration time. 5- Confirm if the user opened the Attachment ✍ https://lnkd.in/dfscKs4n ✍ https://lnkd.in/dSMs5Tqx ✍ https://lnkd.in/d5sXYis3 ✍ https://lnkd.in/d3VS3trE. 🦠 𝐌𝐚𝐥𝐰𝐚𝐫𝐞 𝐈𝐧𝐯𝐞𝐬𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧: 1- Check File hash in threat intelligence 2- AV Action, ensure not deleted/cleaned/quarantined; create L2 ticket if needed 3- Examine File path to determine device infection source 4- Check Malware category - Contact user for known results like Ransomware ✍ https://lnkd.in/dpZdSziE ✍ https://lnkd.in/dBevZUmj 🤖 Brute Force Analysis: 1- Determine login operation origin (local or remote) by checking Source IP 2- Inspect destination IP/Service to identify targeted service 3- Review Logon Type to understand login method 4- Analyze Login Failure Reason to verify user legitimacy 5- Check IDS/IPS & WAF Logs for automation tool usage 6- Confirm successful or unsuccessful login ⚔️ 𝐃𝐨𝐒/𝐃𝐃𝐨𝐒 𝐀𝐭𝐭𝐚𝐜𝐤 𝐀𝐥𝐞𝐫𝐭: 1- Check source IP(s) to determine local or remote origin ↪️Note: If remote, check threat intelligence; if local, create L2 ticket to check the host 2- Verify if Destination IP still operational manually 3- Run "netstat -an" command for strange connections 4- Run ping command to detect dropped packets ✍ DDOS: https://lnkd.in/eQ7zZzVt ✍ MaliciousNetworkBehaviour: https://lnkd.in/ewVZy2cs 🚫 𝐏𝐫𝐨𝐱𝐲 𝐋𝐨𝐠𝐬 𝐈𝐧𝐯𝐞𝐬𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧 (𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐭𝐨 𝐛𝐚𝐝 𝐈𝐏/𝐝𝐨𝐦𝐚𝐢𝐧): 1- Check Proxy Category to determine domain type 2- Review device action 3- Examine Destination IP/domain at AbuseIPDB, Virustotal, urlscan ↪️Note: For a domain, check registration time 4- Confirm Destination Port 5- Check User-agent 6- Verify Bytes Sent && Bytes Received 7- Inspect request method 8- Scrutinize Referer Header 9- Validate Content-Type Header ↪️Note: Detection also possible through SIEM Graph 📊 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐄𝐯𝐞𝐧𝐭 𝐋𝐨𝐠 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬 (𝐋𝐨𝐠𝐢𝐧 & 𝐋𝐨𝐠𝐨𝐮𝐭): 1- Check event id/name 2- Verify login type to understand login method 3- Confirm workstation for DNS Name 4- Review status and sub-status for failure ✍ https://lnkd.in/dpVJRJmY ✍ https://lnkd.in/d7ABVqjw ✍ https://lnkd.in/dgJfKpz2 #cybersecurity #ethicalhacking #socanalyst