http://Hello, We have received an alert for a possible phishing email. Sender: [email protected] Receiver: [email protected] Subject: Review/Response Required - CAQH Login Info. Time: 10:02:42 Email looks to be from an internal source and doesn't have any suspicious notables in it, so this is likely not a malicious actor, but sender is requesting that the recipient provide their credentials via email. Not sure what SOP is for this type of inquiry but this could be considered a risk. We do not recommend sending credentials via email, as this could either mailbox could be compromised in the future. Recommendation: Please investigate this email to determine if this is a safe and secure procedure. We would recommend to any user that it is not typically safe to share their personal credentials for any source via email, if possible. Effects of the Incident: domains: t.png 51.254 0.1 1.24 244.93 255.255 149.50 221.18 145.124 66.18 176.26 outlook.com outlook.com outlook.com outlook.com office365.com outlook.com outlook.com ppops.net outlook.com outlook.com outlook.com outlook.com outlook.com pardot.com ethosrisk.com salesforceiq.com namprd12.prod outlook.com namprd03.prod namprd02.prod office365.com ethosrisk.com ppops.net namprd04.prod amazonses.com salesforce.com pardot.com urldefense.com salesforceiq.com ethosrisk.com outlook.com subject: Potential Phish: Wanted to Say Hello urgency: low severity: unknown timestamp: 03/06/2024 10:03:33 rule_title: HDSI Possible Phish Email SOC Report severities: unknown annotations: {"mitre_attack": ["Spearphishing Link", "Spearphishing Attachment", "Initial Access"]} attachments: /tmp/Ethos-_Why_Partner_with_Ethos_yodooove.pdf disposition: disposition:6 notable_link: https://192.168.201.12:443/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=rule_id%3D%22A8B0EBCF-F649-477A-A7FE-D3F6A4DECA79%40%40notable%40%402826681977b3e9f214509dd6e27b315a%22 notable_type: notable webhook_tags: soc_alert orig_rule_name: HDSI Possible Phish Email security_domain: threat submitter_email: [email protected] annotations._all: Spearphishing Attachment,Initial Access,Spearphishing Link disposition_label: Undetermined extract_artifacts: {"asset":["src","dest","dvc","orig_host"],"identity":["src_user","user","src_user_id","src_user_role","user_id","user_role","vendor_account"]} disposition_default: true annotations._frameworks: mitre_attack disposition_description: Event disposition has not been set. annotations.mitre_attack: Spearphishing Link,Spearphishing Attachment,Initial Access Splunk Results: -Query: index=mail sourcetype=spam_mailbox source=spam:mailbox (subject="*"Review/Response Required - CAQH Login Info."" OR subject="Potential Phish:") "[email protected]" | mvexpand submitter | rex field=submitter "(?<submitter_email>[^<]+@[^>]+)" | rename _time as orig_time | eval orig_time=strftime(orig_time,"%m/%d/%y %H:%M:%S") | table orig_time, submitter, submitter_email, subject, observables*, message_type, "attachments{}", body | rename "observables{}.type" AS observables_type, "observables{}.value" AS observables_values, attachments{} AS attachments | eval observables=mvzip(observables_type, observables_values, ": ") | rex field=observables_values "(?P<domain>[\w_-]+\.[\w_-]+)$" | makemv domain | lookup http_intel domain AS domain OUTPUT domain AS threat_match | sort - time | fillnull value="NULL" | eval subject=mvdedup(subject) | eval proofpoint=if(submitter_email=="[email protected]", "yes", "no") | sort - proofpoint | rex field=domain max_match=0 "(?<domain_mv>.*)\n" | eval domain=mvdedup(domain_mv) | table submitter_email subject domain observables threat_match body -Time: 3/5/24 10:00:00.000 AM to 3/6/24 10:59:53.000 AM -Link: https://smsplunkes01.select.corp.sem/en-US/app/search/search?sid=sgoodsite__sgoodsite__search__search1_1709740793.530935