SOC146 - Phishing Mail Detected

In this security event, a high severity alert was triggered in response to a phishing email sent to a host utilizing our exchange server. Initial investigation showed that an Excel spreadsheet had been attached and was running Excel 4.0 macros.

Those familiar with Microsoft products would know that Microsoft has disabled 4.0 macros, which are a legacy configuration abused by attackers to deliver malware and execute commands on victimized machines. Excel 4.0 has since been replaced with Excel 5.0, which incorporates VBA-based macros.

Parsing the email provided us with other valuable information, including:

- Date + Time the email was sent

- Email's SMTP address

- Sender's address

- Recipient's address

We ran the file through VirusTotal, which provided us with historical evidence that the attachment was in fact flagged by various security vendors as malicious. Three different vendors identified it as a Trojan. The scan was repeated to confirm our results were correct.

Additionally, we executed the file in an AnyRun sandbox environment and observed TCP traffic with a Romanian IP address, which could be an attempt to establish connection with a Command and Control (C2) server. Simultaneously, two DLL libraries had attached to the Excel regsvr32 executable. When investigating the connection history of the infected machine, we confirmed that the host had connected to the C2. Examining the raw log file corroborates this finding, showing a connection with the URL discovered in the sandbox.

Corrective procedures outlined in the playbook led us to quarantine the affected machine and delete the email.

I would suggest implementing the following mitigation strategies to harden our network and endpoints in preparation for future events:

- Blacklist the IP and URL utilized in this attack

- Implement endpoint protection and/or antimalware/antivirus software configured with the latest attack signatures