Chat on WhatsApp
HomeAbout SOC ProjectsPortfolio ServicesAcademy CertificationsBlog Contact →
← Back to Projects HIGH SEVERITY ● RESOLVED NexSecure Bootcamp Final Project
Case Study #1 — DFIR · Email Analysis

Phishing Attack & Credential Compromise

Analyst
O.T. Nathaniel, AMICDFA, CCEP, CBTP
Incident ID
INC-2026-0303-001
Organisation
ABC Manufacturing Ltd (Simulated)
MITRE ATT&CK
T1566.001 · T1078
Date
March 3, 2026 — 09:17 AM

Scenario

On March 3rd, 2026 at 09:17 AM, a Finance department employee at ABC Manufacturing Ltd clicked a malicious link in a spoofed Microsoft IT Support email — subject: "Action Required: Verify Your Mailbox Storage Immediately." The link redirected to a credential harvesting page mimicking Microsoft 365. Within 20 minutes, the SOC detected both failed and successful authentication attempts from foreign IP addresses, indicating credentials had been harvested and were actively being used.

Incident Timeline

09:10 AM

Phishing Email Delivered

Spoofed Microsoft IT Support email delivered. Sender: support@microsoftsupport-alert.com. Subject uses urgency language — "Action Required: Immediately."

09:17 AM

Victim Clicked Link

Employee clicked malicious link — redirected to credential harvesting page mimicking Microsoft 365 login portal.

09:18 AM

Credentials Captured

Victim entered M365 credentials. Credentials silently captured by attacker's server.

09:22 AM

Successful Attacker Authentication

Attacker authenticated from foreign IP 185.220.101.47 (Eastern Europe). MFA was absent on Finance account.

09:25 AM

Malicious Forwarding Rule Created

Attacker created auto-forwarding rule: all emails redirected to attacker@protonmail.com.

09:37 AM

SOC Alert — Impossible Travel

SIEM alert fired: "Impossible Travel — Login from Foreign IP." L1 analyst begins triage.

09:52 AM

Account Suspended

IT Security team disabled compromised account and revoked all active sessions/refresh tokens.

10:05 AM

Forwarding Rule Removed

L2 analyst identified and removed malicious auto-forwarding rule from mailbox.

10:30 AM

Incident Contained

Password reset. MFA enforced. Incident escalated to Incident Manager. Total containment: 68 minutes from first malicious login.

Why the Attack Succeeded

  • No MFA on the Finance employee's M365 account — attacker authenticated with credentials alone
  • Convincing email spoofing — sender domain closely mimicked Microsoft (microsoftsupport-alert.com vs microsoft.com)
  • Social engineering urgency — "Action Required, Immediately" manipulated employee into clicking without verifying
  • No email gateway filtering — DMARC/DKIM/SPF did not flag the spoofed email
  • No security awareness training — employee not trained to verify sender domains

Indicators of Compromise (IOCs)

Phishing URL
http://verify-mailboxms365[.]com/login
Foreign IP (Primary)
185.220.101.47 — Eastern Europe
Foreign IP (Secondary)
45.153.160.2 — Tor Exit Node
Sender Domain
microsoftsupport-alert[.]com
Forwarding Rule
Auto-forward → attacker@protonmail.com
SIEM Alert
Impossible Travel — Nigeria to Eastern Europe <5 mins

SOC Process — L1 Triage & L2 Remediation

L1 Triage: Reviewed SIEM Impossible Travel alert. Pulled Azure AD sign-in logs — confirmed successful login from 185.220.101.47. Reviewed email logs — identified spoofed phishing email at 09:10 AM. Checked mailbox for forwarding rules — found active auto-forward to external address. Confirmed True Positive (TP). Escalated to L2 with full evidence package.

L2 Remediation: Disabled compromised M365 account and revoked sessions. Removed malicious forwarding rule. Blocked attacker IPs at firewall and Defender for Endpoint. Added phishing domain to email gateway blocklist. Conducted mailbox audit for exfiltration window (09:19–09:52 AM). Forced password reset + MFA enrolment. Notified Finance manager and DPO. Threat hunted all Finance accounts for same IOCs.

Recommendations

CRITICAL: Enforce MFA organisation-wide — especially Finance and HR accounts
HIGH: Implement DMARC (p=reject), DKIM, and SPF email authentication
HIGH: Deploy Microsoft Defender for Office 365 / ATP for advanced phishing detection
MEDIUM: Mandatory Security Awareness Training with quarterly phishing simulations
MEDIUM: SIEM alerting for impossible travel events and geo-anomalous logins

Conclusion

The primary root cause was the absence of MFA on the Finance employee's account, allowing the attacker unrestricted access using only harvested credentials. Combined with missing email security filtering and insufficient user awareness, the attack succeeded with minimal technical sophistication. SOC detection via the SIEM Impossible Travel alert — 20 minutes after initial compromise — enabled rapid containment within 68 minutes. Implementation of MFA alone would have prevented this incident entirely.

Analyst: O.T. Nathaniel, AMICDFA, CCEP, CBTP, CTIGA | NexSecure Bootcamp | March 2026

Next: USB Malware Case → VAPT Report All Projects ⬇ CV