Day-17: — “The Unusual Sign-In

Your SOC receives an alert: A suspicious email was forwarded to the “phishing@pot” mailbox for investigation.

Your task is to analyze the raw email headers and identify signs of spoofing, infrastructure abuse, and attacker intent.

http://github.com/ngabalaax/30-day-soc/blob/main/day-17.eml

📨 Raw Email (Captured)

From: "Microsoft account team" <no-reply@access-accsecurity.com>
Reply-To: solutionteamrecognizd02@gmail.com
To: phishing@pot
Subject: Microsoft account unusual signin activity
Importance: high
X-Priority: 1
Date: Mon, 31 Jul 2023 21:11:10 +0000

Return-Path: bounce@providentusezn.co.uk
X-Sender-IP: 89.144.44.4

Authentication-Results:
    spf=none smtp.mailfrom=providentusezn.co.uk
    dkim=none
    dmarc=permerror header.from=access-accsecurity.com

Received:
    from providentusezn.co.uk (89.144.44.4)
    from VI1EUR06FT059.eop-eur06.prod.protection.outlook.com
    from AS4P192CA0020.outlook.office365.com
    from DS0PR19MB7299.namprd19.prod.outlook.com

Content-Type: text/html; charset="UTF-8"
Message-ID: <01b046e7-624f-4fac-a212-16aa7576a019@VI1EUR06FT059.eop-eur06.prod.protection.outlook.com>

🧠 HTML Body Extract

Microsoft account
Unusual sign.in activity

We detected something unusual about a recent sign-in to the Microsoft account
phishing@pot.

<a href="mailto:solutionteamrecognizd02@gmail.com?Subject=Report+The+User">
Contact Support
</a>

🎯 Challenge Objectives

1️⃣ Identify at least five indicators of phishing.

Hints:

Check sender domain vs. claimed identity
SPF / DKIM / DMARC
IP reputation
Reply-To address mismatch
Suspicious HTML body content

2️⃣ Trace the sender’s infrastructure.

Determine:

Is the IP 89.144.44.4 legitimate?
Which domain is actually sending?
Which servers are spoofed?
Why are multiple Outlook servers listed in Received?

3️⃣ Explain how the attacker bypassed email filters.

Consider:

Domain misalignment
“Return-Path” tricks
Using Office365 infrastructure for relay
Oversized content-length mismatch (two different values)

4️⃣ Draft your final incident report summary.

Include:

Root cause
Threat level
Recommended mitigation steps
Actions to block similar attempts

🏁 Bonus Challenge (Hard Mode)

Extract the attacker-controlled domain and infer their phishing flow. Example:

User → sees “Microsoft team”
Clicks → reply-to Gmail
Attacker collects victim email + device info
Follow-up social engineering attempt

PreviousDay-16: The Gummies Trap — Investigate a Suspicious OTTO Newsletter Email NextDay-18: JAPANESE PHISHING EMAILS Attacks Anaysis

Last updated 3 months ago

hashtag📨 Raw Email (Captured)

hashtag🧠 HTML Body Extract

hashtag🎯 Challenge Objectives

hashtag1️⃣ Identify at least five indicators of phishing.

hashtag2️⃣ Trace the sender’s infrastructure.

hashtag3️⃣ Explain how the attacker bypassed email filters.

hashtag4️⃣ Draft your final incident report summary.

hashtag🏁 Bonus Challenge (Hard Mode)