- The Phishing provider ingested an alert into Siemplify regarding a suspicious phishing email. The email was marked as suspicious by the Phishing provider for the following reasons:
- The email was sent by an external sender (email@example.com)
- The email was received by the monitored mailbox of the CFO (firstname.lastname@example.org)
- The email contain file attachment with file hash in sha256 (46930ec6d7ddf5fc7dc7e08fe5ec4bf6)
- Siemplify Playbook sends external alert entities (sender address, file hash) to ThreatFuse for evaluation. The action returned the following results:
- email@example.com – marked as malicious
- 46930ec6d7ddf5fc7dc7e08fe5ec4bf6 – marked as malicious
- ThreatFuse identified that those malicious entities are associated with a malware campaign “Email Campaign – Dangerous Word Document Malware Associated with Trickbot C&C”.
- The Playbook creates a “Campaign” entity, marks it as malicious, and adds to the Case.
- Siemplify automation finds 6 similar cases and tags them with the name of the malware campaign. The case is escalated and the case stage is changed to “Investigation”.
A Tier 2 Analyst can proceed with an investigation in ThreatFuse to get other entities related to this Email Campaign (Use Case “ThreatFuse – Triage and Investigation”) and check if any internal hosts interacted with them, or start the response process.
Need more help with this?
Click here to open a Support ticket
Thanks for your feedback.