LetsDefend EventID 34 Walkthrough

Detect

Parse Mail

• When was the email sent?

  • Dec, 05, 2020, 10:33 PM
    • Investigation Channel > Maximize Alert > Event Time

• What is the email’s SMTP address?

  • 112.85.42.180
    • Investigation Channel > Maximize Alert > SMTP Address
  • Talos IP and Reputation > China Unicom, Poor email reputation

• What is the sender address?

  • [email protected]
    • Investigation Channel > Maximize Alert > Source Address
  • Talos IP & Domain Reputation > Questionable Web Reputation
  • URLVoid Website Report > Domain on Fortinet blacklist

• What is the recipient address?

  • [email protected]
    • Investigation Channel > Maximize Alert > Destination Address

• Is the mail content suspicious?

  • Yes, urgent link in email body
    • Email Security > Searched the email >link in email body

Attachments or URLs in the email?

• Are there any attachments?
  • Yes, link of hxxp[://]bit[.]ly/3ecXem52
    • Email Security > Searched the email > link in body of email
• Email was ALLOWED
  • Investigation Channel > Maximize Alert > Device Action

Analyze

Analyze URL / Attachment