Stories from the SOC – Phishing for credentials
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the LevelBlue SOC analyst team for LevelBlue Managed Extended Detection and Response customers.
Executive summary
Humans are considered the weakest link in cybersecurity. No matter how much a company invests in firewalls, antivirus, and other security software to detect, deter, and prevent attacks humans will always be the main vectors for compromise. If no adequate user-security training is provided within the organization, they will always be at risk. Phishing is one of the oldest cyber-attacks yet one of the most used by attackers due to its effectiveness and low cost.
The Managed Extended Detection and Response (MXDR) team received an alarm indicating a user had successfully logged in from a country outside of the United States (US. Upon further review, this was the first time the user had logged in from outside of the US. The analyst team created an investigation in which the customer responded and took the necessary steps to recover the account from the attacker.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The initial alarm was triggered as a result of the account being accessed from outside of the United States. Due to the recent shift of remote working, it is common to see users accessing their accounts from different countries that could be caused by Virtual Private Network (VPN) or because of travel activity.
Expanded investigation
Events search
When investigating potentially malicious behavior, it is important to understand what the baseline of a user's activity looks like. While looking at the historic data for their activity, logs showed this was the first instance the account has been accessed from outside of the United States.
The logs did not show any failed login attempts from another country, which is usually seen whenever an attacker attempts to compromise an account.
Response
Building the investigation
After gathering enough information, an investigation was created for the customer to confirm if this should be expected from this user.
Customer interaction
Within minutes of the investigation being created, the customer confirmed the user had clicked a phishing email and input their credentials, which the attacker then used to successfully logged in into their account.
The phishing email contained a URL to the following site:
Once clicked, this site would send the user to a page that impersonated a login for an email account that was used to harvest credentials.
Limitations and opportunities
Limitations
For this investigation, the MXDR team did not have full visibility into the Microsoft Office 365 Exchange environment, hindering visibility into the initial attack. We were unable able to see the phishing email being sent to this account. The only events being observed by the SOC were the successful log ins from outside of the United States.