LevelBlue Completes Acquisition of Cybereason. Learn more

Request a Demo

LevelBlue Completes Acquisition of Cybereason. Learn more

Submit RFP
Request a Demo
Services
Cyber Advisory
Managed Cloud Security
Data Security
Manage Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft Security
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
LevelBlue SpiderLabs
Global researchers, ethical hackers, and responders
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

Stories from the SOC – Phishing for credentials

2 Minute Read by Franklin Calderon

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the LevelBlue SOC analyst team for LevelBlue Managed Extended Detection and Response customers.

Executive summary

Humans are considered the weakest link in cybersecurityNo matter how much a company invests in firewalls, antivirus, and other security software to detect, deter, and prevent attacks humans will always be the main vectors for compromiseIf no adequate user-security training is provided within the organization, they will always be at risk. Phishing is one of the oldest cyber-attacks yet one of the most used by attackers due to its effectiveness and low cost.

The Managed Extended Detection and Response (MXDR) team received an alarm indicating a user had successfully logged in from a country outside of the United States (US. Upon further review, this was the first time the user had logged in from outside of the US. The analyst team created an investigation in which the customer responded and took the necessary steps to recover the account from the attacker. 

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered as a result of the account being accessed from outside of the United States. Due to the recent shift of remote working, it is common to see users accessing their accounts from different countries that could be caused by Virtual Private Network (VPN) or because of travel activity.

External access

Expanded investigation

Events search

When investigating potentially malicious behavior, it is important to understand what the baseline of a user's activity looks like. While looking at the historic data for their activity, logs showed this was the first instance the account has been accessed from outside of the United States.

external access investigation

The logs did not show any failed login attempts from another country, which is usually seen whenever an attacker attempts to compromise an account.

Response

Building the investigation

After gathering enough information, an investigation was created for the customer to confirm if this should be expected from this user.

Response phishing

Customer interaction

Within minutes of the investigation being created, the customer confirmed the user had clicked a phishing email and input their credentials, which the attacker then used to successfully logged in into their account.

customer interaction phishing

The phishing email contained a URL to the following site:

phishing email

Once clicked, this site would send the user to a page that impersonated a login for an email account that was used to harvest credentials.

Limitations and opportunities

Limitations

For this investigation, the MXDR team did not have full visibility into the Microsoft Office 365 Exchange environment, hindering visibility into the initial attack. We were unable able to see the phishing email being sent to this account. The only events being observed by the SOC were the successful log ins from outside of the United States.

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

stories from the soc

Latest Intelligence

Crowdsourced Penetration Testing: Understanding the Risks for Better Decision-Making
Art and Science: Cyber and Physical Security Convergence Deficiencies in the Louvre Heist
LevelBlue Futures Report: Retail Leaders Reveal Security Concerns

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo