Forem

Cover image for From Alert to Action: Investigating a Possible Phishing URL
gabriel de oliveira chaves
gabriel de oliveira chaves

Posted on

From Alert to Action: Investigating a Possible Phishing URL

When working in a SOC (Security Operations Center), you may have a lot of alerts popping up in your queue, but not all of them are true positives. Let's dive into an alert of a possible phishing URL and analyze it to discover if it is a true positive or not.

First of all, we will take a look at the alert itself, then progress in its investigation:

Image description

As we can see, there's a URL of a WordPress plugin with a Russian domain. Let's not jump to conclusions but take a look at this URL using VirusTotal.

Image description

With this, we already have confirmation that it is indeed a phishing URL, but let's investigate it a little further to gather more artifacts and have a more solid analysis document.

Image description

After checking the IP address that we got from VirusTotal and looking into it with AbuseIPDB, we can see that someone has reported it once for phishing. If not for the VirusTotal hits, I wouldn't be certain that this is a phishing URL.

With this in mind, we can start our case and follow the playbook:

Image description

As we know, the URL is malicious, so we just continue the process.

Image description

Now we check if someone on our network has actually accessed this URL.

Image description

Now we know that someone did access it, and we also got an IP address that the URL connected to. When we search for it in AbuseIPDB, we can see that it has been used for phishing several times.

Image description

So we must go to our EDR and contain the machine that accessed these URLs as a security measure. After that, we can close our alert as a true positive.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay