T1566.001 Phishing Attachment Malicious email attachment used as initial infection vector
T1105 Ingress Tool Transfer Payload delivery mechanism via attachment
T1071.001 Application Layer Protocol Web Protocols Potential communication channel for C2 if executed
The alert SOC101 Phishing Mail Detected triggered after an email with subject Invoice was sent from icianb@hotmail.com to sofia@letsdefend.io. The email contained an attachment identified as malicious and associated with Cobalt Strike based on VirusTotal and sandbox analysis.
Oct 29 2020 07:43 PM
Email sent from 191.233.193.73 to sofia@letsdefend.io
The alert was triggered due to detection of a phishing email containing a malicious attachment. Threat intelligence confirms the file is associated with Cobalt Strike. The email was blocked by security controls and no network connections or execution activity were observed on the endpoint. The activity is classified as a true positive phishing attempt with no successful compromise