LetsDefend level 1 alert SOC120 - Phishing Mail Detected - Internal to Internal event-id 52
Details
EventID: 52
Event Time: Feb. 7, 2021, 4:24 a.m.
Rule: SOC120 - Phishing Mail Detected - Internal to Internal
Level: Security Analyst
SMTP Address 172.16.20.3
Source Address john@letsdefend.io
Destination Address susie@letsdefend.io
E-mail Subject Meeting
Device Action Allowed
playbook
Parse Email
- When was it sent?
Feb. 7, 2021, 4:24 a.m. - What is the email's SMTP address?
172.16.20.3 - What is the sender address?
john@letsdefend.io - What is the recipient address?
susie@letsdefend.io
メールの中身はこちら
Subject: Meeting Source Address john@letsdefend.io Destination Address susie@letsdefend.io Hi Susie, Can we arrange a meeting today if you are available?
Phishing Mail Detected???????????
Are there attachments or URLs in the email?
Answer: No
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| john@letsdefend.io | E-mail Sender | |
| 172.16.20.3 | IP Address | Exchange Server |
FP!
End
完全に想像だが、メールの内容の文字列がPhishing Mailのルールとして登録されているのでは。
