# Day-17: — “The Unusual Sign-In Your SOC receives an alert:\ \&#xNAN;*A suspicious email was forwarded to the “phishing\@pot” mailbox for investigation.* Your task is to analyze the raw email headers and identify signs of spoofing, infrastructure abuse, and attacker intent. *** ### **📨 Raw Email (Captured)** ``` From: "Microsoft account team" Reply-To: solutionteamrecognizd02@gmail.com To: phishing@pot Subject: Microsoft account unusual signin activity Importance: high X-Priority: 1 Date: Mon, 31 Jul 2023 21:11:10 +0000 Return-Path: bounce@providentusezn.co.uk X-Sender-IP: 89.144.44.4 Authentication-Results: spf=none smtp.mailfrom=providentusezn.co.uk dkim=none dmarc=permerror header.from=access-accsecurity.com Received: from providentusezn.co.uk (89.144.44.4) from VI1EUR06FT059.eop-eur06.prod.protection.outlook.com from AS4P192CA0020.outlook.office365.com from DS0PR19MB7299.namprd19.prod.outlook.com Content-Type: text/html; charset="UTF-8" Message-ID: <01b046e7-624f-4fac-a212-16aa7576a019@VI1EUR06FT059.eop-eur06.prod.protection.outlook.com> ``` *** ### **🧠 HTML Body Extract** ``` Microsoft account Unusual sign.in activity We detected something unusual about a recent sign-in to the Microsoft account phishing@pot. Contact Support ``` *** ## 🎯 **Challenge Objectives** #### **1️⃣ Identify at least five indicators of phishing.** Hints: * Check sender domain vs. claimed identity * SPF / DKIM / DMARC * IP reputation * Reply-To address mismatch * Suspicious HTML body content *** #### **2️⃣ Trace the sender’s infrastructure.** Determine: * Is the IP 89.144.44.4 legitimate? * Which domain is actually sending? * Which servers are spoofed? * Why are multiple Outlook servers listed in `Received`? *** #### **3️⃣ Explain how the attacker bypassed email filters.** Consider: * Domain misalignment * “Return-Path” tricks * Using Office365 infrastructure for relay * Oversized content-length mismatch (two different values) *** #### **4️⃣ Draft your final incident report summary.** Include: * Root cause * Threat level * Recommended mitigation steps * Actions to block similar attempts *** ## 🏁 **Bonus Challenge (Hard Mode)** **Extract the attacker-controlled domain and infer their phishing flow.**\ Example: * User → sees “Microsoft team” * Clicks → reply-to Gmail * Attacker collects victim email + device info * Follow-up social engineering attempt --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ngabalaax.gitbook.io/ngabalaax/30-day-soc-analysis-and-detection-challenge/phishing-and-email-analysis/day-17-the-unusual-sign-in.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.