LetsDefend EventID 93 Walkthrough

Detect

Parse Mail

• When was the email sent?

  • Jun, 13, 2021, 02:13 PM
    • Investigation Channel > Maximize Alert > Event Time

• What is the email’s SMTP address?

  • 24.213.228.54
    • Investigation Channel > Maximize Alert > SMTP Address
  • Talos IP and Reputation > neutral
  • VirusTotal > clean
  • AbusIPDB > currently, Charter Communications (USA); previously, ChillScanner port scanner
  • Whois > Charter Communications

• What is the sender address?

  • [email protected]
    • Investigation Channel > Maximize Alert > Source Address
  • Talos IP & Domain Reputation > nothing
  • URLVoid Website Report > nothing

• What is the recipient address?

  • [email protected]
    • Investigation Channel > Maximize Alert > Destination Address

• Is the mail content suspicious?

  • Yes, suspiciously named file attached
    • Email Security > Searched the email > Attachments > suspicious attachment

Attachments or URLs in the email?

• Are there any attachments?
  • Yes, suspicious file attached
    • Email Security > Searched the email > Attachments section
• Email was ALLOWED
  • Investigation Channel > Maximize Alert > Device Action

Analyze

Analyze URL / Attachment