This report analyzes a phishing incident involving a spear-phishing email that targeted employees via a compromised legitimate domain. The malicious strategy included the use of an obfuscated URL to redirect victims to a fake banking login page aimed at harvesting credentials. The report highlights critical findings on the attack’s impact on organizations and provides actionable recommendations for executives and SOC teams. Affected: Organizations, Employees
Keypoints :
- The phishing email used a compromised legitimate domain to bypass security measures.
- Obfuscation techniques in the URL, such as Base64 encoding and the inclusion of an @ symbol, were employed to evade detection.
- Mapping of the attack to the MITRE ATT&CK framework provided insight into the adversary’s tactics, techniques, and procedures (TTPs).
- A custom detection query was developed for SOC teams to identify similar phishing attempts in the future.
- Executives are advised to invest in advanced email security and establish multi-factor authentication (MFA).
MITRE Techniques :
- Initial Access (TA0001) — Phishing: The attacker sent a spear-phishing email with a malicious link to gain initial access.
- Defense Evasion (TA0005) — Obfuscated Files or Information (T1027): The URL contained a legitimate domain along with a Base64-encoded string to obscure its true destination.
- Credential Access (TA0006) — Input Capture (T1056): A fake banking login page was utilized to capture user credentials.
- Command and Control (TA0011) — Application Layer Protocol (Web Protocols T1071.001): Harvested credentials were sent over HTTPS to the attacker’s server.
Indicator of Compromise :
- Domain: example[.]com (intermediary domain)
- Domain: destination[.]com (malicious final site)
- URL Pattern: URLs containing @ symbols prior to malicious domains
- Base64-encoded string: dXNlckBleGFtcGxlLmNvbQ== within URL paths
Views: 3