1. The Phishing provider ingested an alert into Siemplify regarding a suspicious phishing email. The email was marked as suspicious by the Phishing provider for the following reasons:
  • The email was sent by an external sender (notification@admin-server145.ml)
  • The email was received by the monitored mailbox of the CFO (finance@mycompany.com)
  • The email contain file attachment with file hash in sha256 (46930ec6d7ddf5fc7dc7e08fe5ec4bf6)
  1. Siemplify Playbook sends external alert entities (sender address, file hash) to ThreatFuse for evaluation. The action returned the following results:
  • notification@admin-server145.ml – marked as malicious
  • 46930ec6d7ddf5fc7dc7e08fe5ec4bf6 – marked as malicious

  1. ThreatFuse identified that those malicious entities are associated with a malware campaign “Email Campaign – Dangerous Word Document Malware Associated with Trickbot C&C”.

  1. The Playbook creates a “Campaign” entity, marks it as malicious, and adds to the Case.

  1. Siemplify automation finds 6 similar cases and tags them with the name of the malware campaign. The case is escalated and the case stage is changed to “Investigation”.
    A Tier 2 Analyst can proceed with an investigation in ThreatFuse to get other entities related to this Email Campaign (Use Case “ThreatFuse – Triage and Investigation”) and check if any internal hosts interacted with them, or start the response process.

Need more help with this?
Click here to open a Support ticket

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.