RV Richard Vincent
SOC Investigation

Enterprise Phishing Email Investigation

Public-facing SOC investigation documenting the analysis of a phishing email, including alert triage, severity classification, IOC review, threat intelligence enrichment, MITRE ATT&CK mapping, investigation timeline, analyst notes, and containment recommendations.

Back to SOC Portfolio View GitHub Repository
01 Alert Summary

Alert Summary

An inbound phishing alert was triggered after a suspicious email reached a user inbox without being blocked. The message was sent from free@coffeeshoop.com to felix@letsdefend.io through SMTP source 103.80.134.63 with the subject line Free Coffee Voucher.

02 Timeline

Investigation Timeline

This timeline summarizes the investigation workflow from alert review through classification and containment recommendation.

09:22Phishing alert triggered and case opened for review.
09:24Email header details reviewed, including sender, recipient, subject, and source IP.
09:28Suspicious URL and related artifact reputation checked.
09:31Threat intelligence review completed using external enrichment.
09:36Alert classified as a true positive phishing attempt.
09:40Containment and detection improvement recommendations documented.
03 Email Analysis

Email Analysis

The phishing email leveraged social engineering techniques, including urgency and reward-based lures, to increase the likelihood of user interaction. Phrases such as Hurry and This offer expires soon supported the assessment that this was a deceptive message rather than a normal promotional email.

04 Header Findings

Header Findings

  • Sender: free@coffeeshoop.com
  • Recipient: felix@letsdefend.io
  • SMTP Source IP: 103.80.134.63
  • Subject: Free Coffee Voucher
  • Delivery Status: Allowed
  • Severity: Medium
05 Indicators

IOC Analysis

The main indicators reviewed during the investigation included the sender, source IP, lure subject, suspicious attachment or URL behavior, and impersonation indicators.

free@coffeeshoop.com 103.80.134.63 Free Coffee Voucher Suspicious ZIP / URL Urgency-based lure Adobe login impersonation AsyncRAT-related artifact
06 Threat Intelligence

Threat Intelligence Review

The suspicious URL or related artifact was reviewed using external threat intelligence. Multiple detections supported the conclusion that the activity was malicious. Supporting analysis indicated that the URL imitated an Adobe login page and that the attachment behavior aligned with a malicious remote-access malware pattern.

07 Analyst Notes

Analyst Notes

The delivery status of Allowed increased the user risk exposure because the phishing email successfully reached the mailbox without initial containment by email security controls.

The combination of a deceptive sender, urgency-based language, suspicious artifacts, and threat intelligence enrichment supported escalation from suspicious activity to a confirmed true positive phishing attempt.

08 Detection Opportunities

Detection Opportunities

Based on the investigation, the following areas could improve future detection or prevention:

  • Email gateway filtering for suspicious sender domains and promotional lures from low-reputation infrastructure
  • URL reputation blocking for known malicious or newly suspicious links
  • Attachment sandboxing for ZIP files and payload-like behavior
  • User phishing awareness focused on urgency, fake rewards, and credential harvesting attempts
  • Domain and IP reputation monitoring for recurring phishing infrastructure
  • Mailbox search workflows to identify similar messages across the environment
09 User Risk

User Risk

Because the email was delivered successfully, the recipient was exposed to multiple possible risks:

  • Credential theft through fake login capture
  • Malware execution if the attachment was opened
  • Initial access into the environment
  • Follow-on attacker activity after user interaction
10 MITRE Mapping

MITRE ATT&CK Mapping

  • T1566 - Phishing
  • T1566.001 - Spearphishing Attachment
  • T1566.002 - Spearphishing Link
  • T1204 - User Execution
  • Credential harvesting through a deceptive login page
11 Verdict

Final Verdict

True Positive - Phishing Attempt

The alert was classified as malicious because it combined a deceptive sender, urgency-driven content, suspicious artifacts, and supporting threat intelligence indicating phishing and malware delivery behavior.

12 Recommendation

Containment Recommendation

  • Quarantine or remove the email from affected mailboxes
  • Block the sender address and related domain if confirmed malicious
  • Block associated URLs and file indicators
  • Contact the recipient to confirm whether they clicked the link or opened the attachment
  • Search for similar phishing messages across the environment
  • Update detections and user awareness guidance as needed
13 Lessons Learned

Lessons Learned

  • User awareness remains critical against phishing campaigns that use urgency and reward-based lures.
  • Threat intelligence enrichment improved triage confidence and supported accurate classification.
  • Early IOC validation helped reduce investigation time and supported faster containment recommendations.
  • Allowed delivery status should be reviewed carefully because it increases the chance of user interaction.
14 Evidence

Investigation Evidence

Selected screenshots from the phishing investigation workflow. These visuals support the written analysis and help show the investigation process.

Phishing email evidence

Suspicious phishing email delivered to the user inbox.

VirusTotal analysis result

Threat intelligence enrichment and URL analysis results.

SOC alert summary

SOC alert summary and investigation workflow evidence.

Back to Investigations Contact Richard