playbok1
We start with our instruction to parse email
parseemail
From: update@windows-update[.]site
To: dylan[@]letsdefend.io
Subject: Upgrade your system to Windows 11 Pro for FREE
Date: Mar, 13, 2025, 09:44 AM
Action: Allowed
SMTP Address: 132.232.40.201
Attachment: No files, but there are URLs present.
Suspicious: Yes, because there were multiple 'Update Now' buttons, indicating a phishing attempt
attachment
If we copy the url from the email and look it up on VirusTotal we see the following:
virustotal
11 out of 91 vendors flag this URL as malicious.
malicious
The next question is:
deliveredkya
alowed
The the alert details, under the Action field, shows the value set to Allowed β confirming that the email was successfully delivered to the recipient.
delivered
delete
Our next task is to delete the email
emailsecurity
Next we move to the Email Security tab, look for the particular email and delete it.
deleted
playbook3
Next we need to find out if Dylan accessed the malicious URL. We move to
Endpoint Security and see if the URL was accessed
accessed
We see that the URL was, in fact, accessed.
playbook4
Our next step is to contain the host.
contained
The machine is contained.
Our next step is to add the artifacts:
artifacts
After putting Analyst's notes, we finish the playbook:
finish
close
Now we close the alert on the monitoring page.