LetsDefend EventID 82 Walkthrough

Detect

Parse Mail

• When was the email sent?

  • March 21, 2021, 12:26 PM
    • Investigation Channel > Maximize Alert > Event Time

• What is the email’s SMTP address?

  • 189.162.189.159
    • Investigation Channel > Maximize Alert > SMTP Address
  • Talos IP and Reputation > Mexico, Network Owner: uninet, Poor IP and Email reputation, Listed on PBL.SPAMHAUS blocklist

• What is the sender address?

  • [email protected]
    • Investigation Channel > Maximize Alert > Source Address
  • Talos IP & Domain Reputation > Favorable web reputation
  • URLVoid Website Report > Unknown reputation

• What is the recipient address?

  • [email protected]
    • Investigation Channel > Maximize Alert > Destination Address

• Is the mail content suspicious?

  • Yes, suspiciously named file attached
  • hxxps[://]files-ld[.]s3[.]us-east-2[.]amazonaws[.]com/72c812cf21909a48eb9cceb9e04b865d[.]zip
    • Email Security > Searched the email > Attachments > Suspicious Attachment

Attachments or URLs in the email?

• Are there any attachments?
  • Yes, suspicious file attached
  • hxxps[://]files-ld[.]s3[.]us-east-2[.]amazonaws[.]com/72c812cf21909a48eb9cceb9e04b865d[.]zip
    • Email Security > Searched the email > Attachments section
• Email was BLOCKED
  • Investigation Channel > Maximize Alert > Device Action

Analyze

Analyze URL / Attachment