Phishing Use Case
K&U logo- white green

Phishing

Audience: Information Security Security Teams: CTI, SOC, DFIR

Challenge

Your organization receives a self-reported alert for a suspected phishing attempt. The Security Operations Center analyst triaging the alert requests the Cyber Threat Intelligence team review the suspicious link which directs recipients to an identified domain.

Avalon Collaboration

  • The CTI analyst places the suspicious domain name into an Avalon workspace they created. Once the entity has been added to the workspace, the analyst then runs enrichments leveraging Cofense and Spycloud partner data from the Avalon Marketplace.
  • The analyst adds the enriched data from Spycloud and Cofense to the Avalon workspace and identifies a Cofense report that reveals associations of this domain name being used in a Finance Themed phishing campaign exploiting Office Macros and linked to Emotet activity.
  • In response to these findings, the analyst decides to further investigate and then conducts enrichments for Emotet malware. The analyst runs enrichments on Emotet from Marketplace partnered dark web sources and discovers 1500 additional pieces of relevant data points, ranging from indicators of compromise and partner analysis and reporting.
  • The analyst is now capable of writing an investigative report within Avalon to report their findings to the SOC analyst and deliver additional known malicious indicators associated with Emotet for monitoring and blocking.

Outcome

  • The analyst was quickly able to identify that the suspicious domain was indeed malicious and possibly part of a broader phishing campaign.
  • The analyst was able to link the event to a finance themed phishing campaign designed to exploit office macros, and subsequently identified the activity is highly likely associated with Emotet.
  • The analyst was able to link the event to a finance themed phishing campaign designed to exploit office macros, and subsequently identified the activity is highly likely associated with Emotet.

About Us

King & Union is a cybersecurity company that has built and designed Avalon, the industry’s first cyber analysis platform. The Avalon Cyber Analysis Platform helps analysts streamline threat investigations by providing the intelligence, tools and collaboration security analysts need in a seamless, integrated workspace.