This time we are investigating another CRITICAL level alert.
We start with taking ownership of the alert and then head to the Investigation Channel and create a case.
Let's start the playbook:
We start with our instruction to parse email
From: update@windows-update[.]site
To: dylan[@]letsdefend.io
Subject: Upgrade your system to Windows 11 Pro for FREE
Date: Mar, 13, 2025, 09:44 AM
Action: Allowed
SMTP Address: 132.232.40.201
Attachment: No files, but there are URLs present.
Suspicious: Yes, because there were multiple 'Update Now' buttons, indicating a phishing attempt
If we copy the url from the email and look it up on VirusTotal we see the following:
11 out of 91 vendors flag this URL as malicious.
The next question is:
The the alert details, under the Action field, shows the value set to Allowed — confirming that the email was successfully delivered to the recipient.
Our next task is to delete the email
Next we move to the Email Security tab, look for the particular email and delete it.
Next we need to find out if Dylan accessed the malicious URL. We move to
Endpoint Security and see if the URL was accessed
We see that the URL was, in fact, accessed.
Our next step is to contain the host.
The machine is contained.
Our next step is to add the artifacts:
After putting Analyst's notes, we finish the playbook:
Now we close the alert on the monitoring page.
Top comments (0)