SOC141 - Phishing URL Detected

I opened a case for the alert and examined the alert details, noting that it was triggered by a suspicious URL presumably used by attackers for phishing. I noted that the device action was allowed. Following the playbook, I then investigated the network logs using the source and destination IP addresses gathered from the alert details to find that a request was in fact made to the malicious URL from a host on our network.

A VirusTotal scan of the URL provided evidence from several security vendors that it was a phishing site, but I went a step further and scanned the URL on urlscan.io, which provided a deeper analysis into the website. The scan traced the site to a Russian IP and domain, which triggered 20 HTTP redirect transactions to other domains and subdomains. This would be confirmed when requesting the URL in an AnyRun sandbox, triggering at least 12 different connections to the aforementioned IP.

To bolster my evidence, a quick scan on Hybrid Analysis would validate my findings to confirm the maliciousness of the URL, but went further to indicate that several JavaScript files had also been extracted.

Seems pretty "phishy" to me...

To conclude the case, I accessed the endpoint security module to confirm the identity of the host device that made the connection with the malicious IP. I quarantined the device from the network and submitted the report as a true positive.

To finish and summarize the results from the playbook tasks, I:

- verified that the traffic was malicious

- identified the attack as SQL injection

- combed through internal mail systems to find that this was not a planned test

- confirmed that traffic's direction as coming from the internet to our internal network (the web server)

- validated that the attack was unsuccessful

I documented the investigation artifacts, added my final notes, and closed the alert.