From Alert to Action: Investigating a Possible Phishing URL

gabriel de oliveira chaves — Tue, 31 Dec 2024 00:28:52 +0000

When working in a SOC (Security Operations Center), you may have a lot of alerts popping up in your queue, but not all of them are true positives. Let's dive into an alert of a possible phishing URL and analyze it to discover if it is a true positive or not.

First of all, we will take a look at the alert itself, then progress in its investigation:

As we can see, there's a URL of a WordPress plugin with a Russian domain. Let's not jump to conclusions but take a look at this URL using VirusTotal.

With this, we already have confirmation that it is indeed a phishing URL, but let's investigate it a little further to gather more artifacts and have a more solid analysis document.

After checking the IP address that we got from VirusTotal and looking into it with AbuseIPDB, we can see that someone has reported it once for phishing. If not for the VirusTotal hits, I wouldn't be certain that this is a phishing URL.

With this in mind, we can start our case and follow the playbook:

As we know, the URL is malicious, so we just continue the process.

Now we check if someone on our network has actually accessed this URL.

Now we know that someone did access it, and we also got an IP address that the URL connected to. When we search for it in AbuseIPDB, we can see that it has been used for phishing several times.

So we must go to our EDR and contain the machine that accessed these URLs as a security measure. After that, we can close our alert as a true positive.

DEV Community: gabriel de oliveira chaves

From Alert to Action: Investigating a Possible Phishing URL