T1566 Phishing
T1056 Credential Harvesting
External sender bill@microsoft.com using SMTP IP 180.76.101.229 targeted ellie@letsdefend.io
Malicious HTML attachment delivering a password stealer phishing page. Dynamic analysis in AnyRun confirmed credential harvesting behavior and C2 domain tecyardit.com
Apr 26 2021 23:03 PM
Email delivered through Exchange to ellie@letsdefend.io. Phished credentials configured to be sent to tecyardit.com
Credential harvesting attempt to steal username and password for account compromise
Attachment executed in sandbox showed fake login page capturing credentials and posting to tecyardit.com. No outbound connections to tecyardit.com observed in network logs. User did not open attachment. True Positive malicious attachment but no successful compromise
Action
Email contained. Indicators documented including tecyardit.com and 180.76.101.229. No endpoint isolation required. Monitoring continued for related activity.