DEV Community

Cover image for LetsDefend SIEM Alert: Phishing Mail Detected - Internal to Internal - EventID: 52
Jaime Barreto
Jaime Barreto

Posted on

LetsDefend SIEM Alert: Phishing Mail Detected - Internal to Internal - EventID: 52

#letsdefend #cybersecurity #blueteam #siem

Hello everyone, today we're going to solve another LetsDefend SIEM alert: Internal to Internal.

Internal to Internal refers to a type of phishing email that was sent from one internal email address to another internal email address. This suggests that either an employee's account has been compromised or it could be the case that the email originated from within the organization's network.

This phishing attack is dangerous because internal emails are trusted more than external ones, making it easier for recipients to open attachments or click on embedded links.

So we have to handle this alert promptly because it is crucial to safeguard our organization's security.

So we start our investigation by creating the case and starting with the playbook:

Playbook - 52

  1. Parse Email The first step towards our investigation is to obtain information about the incoming email, and the playbook tells us to get the following:

  • When it was sent?

  • What is the email's SMTP address?

  • What is the sender address?

  • What is the recipient address?

  • Is the mail content suspicious?

  • Are there any attachment?

Parse Email - 52

Now we delve into aswering these questions, the first one is in the Event Time:

EventTime - 52

  • When it was sent? Feb, 07, 2021, 04:24 AM

Now for the second question that is also in the alert overview:

SMTP Address - 52

  • What is the email's SMTP address? 172.16.20.3

The third question is to know the sender address and is in the Source Address field:

Source Address - 52

  • What is the sender address? john@ letsdefend.io

The next is just below next:

Destination Address - 52

  • What is the recipient address? susie@ letsdefend.io

The fifth question asked us to investigate whether the content of the email is suspicious. Here we go to the Email Security and search for that email using the date, time, the sender, and recipient, like this:

Mail Search - 52

And we click on the corresponding mail:

Inside Mail - 52

And know we finally can answer to the last two questions:

  • Is the mail content suspicious?
    Seems like a normal non-suspicious mail from one coworker to another coworker.

  • Are there any attachment?
    No attachment are included in the email.

Now to continue with the Playbook, and click on Next.

The Playbook now asks us if there were any attachments or any URLs in the email.

Attachments - 52

There were not attachments or any URLs in the email so we click on "No", and continue with the Playbook.

Now lets add some artifacts found:

Source Address:
john@ letsdefend.io

Destination Address:
susie@ letsdefend.io

SMTP Address:
172.16.20.3

Click on Next.

Add any notes in here.

Finish the Playbook by clicking on Confirm.

We have all that we need to close this alert, its a False Positive because there were nothing malicious in the email, no URLs or attachments.

Close the alert and congratulations!, another alert completed!

Top comments (0)

Read next

pentest_testing_corp profile image

Unrestricted File Upload in Laravel: A Guide to Securing Your Application

Pentest Testing Corp -

wvnuola profile image

Home for the Holidays: Staying Ahead of Cybersecurity Threats

Wonuola Ogunsanmi -

daniel_idoko profile image

Subnetting Demystified: Concepts, Importance, and a Real-World Example

daniel💻 -

mochafreddo profile image

Understanding SNI (Server Name Indication) and Modern Encryption Solutions

Geoffrey Kim -