Who: The user is Xochiquetzal Cruz (xcruz@phoenixintnl.

com), Job Title: NGS

Technical Project Manager, User Department: Next Generation Solutions.
User has no admin roles assigned.

Where:

1. Email received in the user’s inbox folder.

2. Device 1: pf3srlm9, OS: Windows11 64-bit (Onboarded, Device is

managed and compliant). Private IP: 192.168.100.4, Public IP:
136.226.0.189. Logged on user is xcruz.

When: The email was originally delivered at 2024-11-08T16:36 UTC. The

email moved to quarantine at 2024-11-08T17:16 UTC. The email was
received by the user from an external sender.

What Happened: The incident was triggered when the user reported an
email as malware or phish. The email contains 2 attachments and 1 URL. The
URL is marked as clean by MDO. The attachment has an ".xml" and “.docx”
file extension and one is marked as malicious payload by MDO. The URL,
attachments and email subjects have obvious signs of being malicious/phish
and titles to lure users into clicking on the phishing link. The analyst checked
the file hash and URL on different TI platforms like VT and the URL was
flagged as clean and file hash was not found. The analyst checked the deep
analysis information, and the file is marked as phish which contains a URL
having credential phishing attributes. The analyst investigated the URL, and
the URL was redirected to “Impersonated Microsoft Sign-in page". 2 other
similar emails were received from this sender in the last 30 days, from which
none are priority accounts. XXXX XXXXXX Xochiquetzal Cruz
(xcruz@phoenixintnl.com) downloaded the malicious attachment. The
analyst ran the relevant part of “CMP-Find-Entities-Involved-In-IOC-Query”
query, and the file was not detected on any other device. The analyst ran
“CMP-Find-New-Inbox-Rules-Created-By-User-Query” to check for suspicious
rules created in the last 90 days. Suspicious rule was not detected. The
analyst investigated the user's sign-in and audit logs and did not find
suspicious activity. The analyst also checked the MDCA logs and did not find
suspicious activity. The analyst ran the
“Cybermsi_Investigate_User_Function” query on this user and did not find
suspicious activity. The analyst checked the Device 1 timeline within +/-30
minutes of this incident, and did not find a suspicious activity (e.g., new
process creation, registry changes, PowerShell execution, account
enumeration, etc.). URL clicks were not detected by any of the users.
Response: The analyst blocked the sender, reset the password, and revoked
the user session. The analyst ran MDE AIR and full AV scan on the user
device (pf3srlm9) involved in the incident. The analyst ran the “Investigate
Recipient” on the user mailbox to detect if any rules were created for the
mailbox. The analyst performed soft delete remediation action on all
malicious emails received from this sender in the last 30 days. The analyst
will inform the PTI about the activity. The MDO AIR and MDE AIR are currently
running on email and device. The analyst will take further response actions
based on the AIR verdict if required.
Who: The user is Jeremy Jones (jeremy.jones@taec.net), Job Title: Senior
Construction Manager, User Department: 36. User has no admin roles
assigned.

Where: The email was originally delivered to the user’s inbox folder.

When: The email was originally delivered to the user’s inbox folder at 2024-
11-08T18:10 UTC and reported by the user at 2024-11-08T18:57 UTC. The
email was received by the user from an external sender.

What Happened: The incident was triggered when the user reported an
email as malware or phish. The email contains no URLs and 1 attachment.
The attachments are marked as clean by MDO. The attachments have an
“.svg" file extension and is marked as clean by MDO. The email subject has
no obvious signs of being malicious/phish-like attachments and titles to trick
users into downloading the file. The analyst checked the attachment on the
TI platform, like VT, where the attachment was not found. The analyst ran
the relevant part of “CMP-Find-Entities-Involved-In-IOC-Query” query, and the
file was not detected on any other device. The analyst investigated the
user's sign-in and audit logs and did not find suspicious activity. The analyst
ran the “Cybermsi_Investigate_User_Function” query on this user and did not
find suspicious activity. 03 other similar emails were received from this
sender in the last 30 days, from which 1 is priority account.
Who: The user is Denny Tabares (dtabares@phoenixintnl.com), Job Title:
Senior Corporate Accounting and Consolidation Manager, User Department:
Finance/Accounting. User has no admin roles assigned.

Where: Email received in user’s Inbox folder.

When: The email was originally delivered to the users inbox folder at 2024-
11-08T18:29 UTC and reported by the user at 2024-11-08T18:46 UTC. The
email was received by the user from an external sender.

What Happened: The incident was triggered when a user reported an email
as malware or phish. The email contains 1 URL and no attachments. The
URL are marked as clean by MDO. The URLs and email subjects have
obvious signs of being malicious/phish-like URLs and titles to trick users into
clicking on the phishing link.The analyst investigated the URL, and the URL
was redirected to an impersonated Microsoft sign-in page to steal user
credentials. The analyst checked the attachment and URL on the TI platform,
like VT, which was flagged as Malicious .The analyst investigated the user's
sign-in and audit logs and did not find suspicious activity. The analyst ran the
“Cybermsi_Investigate_User_Function” query on this user and did not find
suspicious activity. 1 other user received similar emails from this sender in
the last 30 days. from which one is priority account .URL clicks were not
detected by any of the users.

Response: : The MDO AIR is currently running on email. The analyst added
the URL as IOC. The analyst blocked the sender. The analyst soft deleted all
the malicious email. The analyst will take further action based on the AIR
verdict if required.
Who: The user is Denny Tabares (dtabares@phoenixintnl.com), Job Title:
Senior Corporate Accounting and Consolidation Manager, User Department:
Finance/Accounting. User has no admin roles assigned.

Where: The email was originally delivered to the user’s inbox folder.

When: The email was originally delivered to the user’s inbox folder at 2024-
11-08T18:29 UTC and reported by the user at 2024-11-08T18:53 UTC. The
email was received by the user from an external sender.

What Happened: The incident was triggered when the user reported an
email as malware or phish. The email contains 16 URLs and no attachments.
1 URL is marked as phish by MDO. The URLs and email subjects have obvious
signs of being malicious/phish-like URLs and titles to trick users into clicking
on the phishing link. The analyst checked the URLs on the TI platform, like
VT, where URL was flagged as clean. The analyst checked the URLs, and 1
URL was redirected to "Impersonated Microsoft page". The analyst
investigated the user's sign-in and audit logs and did not find suspicious
activity. The analyst ran the “Cybermsi_Investigate_User_Function” query on
this user and did not find suspicious activity. 4 other similar emails were
received from this sender in the last 30 days, from which few are the priority
accounts. URL clicks were not detected by any of the users.

Response: The MDO AIR is currently running on email. The analyst soft
deleted the malicious emails. The analyst added the URLs as IOC and
blocked the sender. The analyst will take further action based on the AIR
verdict if required.
Who: The user is Jennifer Fermano (jfermano@haffnersenergy.com), Job Title:
Chief Financial Officer, User Department: Executive. User has no admin roles
assigned.

Where: The email was originally delivered to the user’s inbox folder.

When: The email was originally delivered to the user’s inbox folder at 2024-
11-08T18:27 UTC and reported by the user at 2024-11-08T18:46 UTC. The
email was received by the user from an external sender.

What Happened: The incident was triggered when the user reported an
email as malware or phish. The email contains 1 URL and no attachments.
URL is marked as clean by MDO. The URLs and email subjects have obvious
signs of being malicious/phish-like URLs and titles to trick users into clicking
on the phishing link. The analyst checked the URLs on the TI platform, like
VT, where URL was flagged as malicious. The analyst checked the URLs, and
URL was redirected to "Impersonated Microsoft page". The analyst
investigated the user's sign-in and audit logs and did not find suspicious
activity. The analyst ran the “Cybermsi_Investigate_User_Function” query on
this user and did not find suspicious activity. 1 other similar emails were
received from this sender in the last 30 days, from which few are the priority
accounts. URL clicks were not detected by any of the users.

Response: The MDO AIR is currently running on email. The analyst soft
deleted the malicious emails. The analyst added the URLs as IOC and
blocked the sender. The analyst will take further action based on the AIR
verdict if required.
Who: The user is PowerApp (powerapp@ompimail.com), Job Title:
Information is not maintained, User Department: Information is not
maintained. User has admin roles assigned. (Priority Account)

Where:

1. Device 1: Information is not available. OS: Window 10. Browser: Edge

13.

2. IP 1: 209.214.212.154 (Stevens Point, Wisconsin, US) – IP is not

associated with VPN service, Apple Relay, etc.

3. App 1: App Service

4. Device 2: Information is not available. OS: Window 10. Browser: Rich

Client 5

5. IP 2: 52.176.162.6 (Des Moines, Iowa, US) – IP is not associated with

VPN service, Apple Relay, etc.

6. App 2: OneConnect for Dynamics

When: The user accessed App 1 from IP 1 at 2024-11-07T20:19 UTC, and

later user tried to access the App 2 from IP 2 at 2024-11-08T19:55 UTC.

What Happened: The user normally signs in from Stevens Point, Wisconsin,
US. The user previously accessed App 1 from IP 1 using Device 1. The user
satisfied with the first-factor authentication (Previously satisfied) and MFA
was not presented. Approximately 23 hours later, the user accessed App 2
from IP 2 using Device 2. The user satisfied the single-factor authentication
(No Authentication Details). The analyst ran the
“Cybermsi_Investigate_User_Function” query on this user, and nothing
suspicious was observed. The analyst investigated the user's audit logs and
sign-in logs and found nothing suspicious. The analyst ran “CMP-Find-Entities-
Involved-In-IOC-Query” and confirmed that IP 2 has not been the target IP
address for any device in the environment during the last 30 days. The
incident occurred because the user accessed App 2 from IP 2 using Device 2
for the first time in the last 30 days.

Response: The analyst will inform the CyberMSI Manager Group to dismiss
the user risk from EID without resetting the credentials.

Who:

1. The user is Daniel Martinez (dmartinez@phoenixintnl.com), Job Title:

Junior Software Developer, User Department: Information Technology.
User has no admin roles assigned.

2. The user is Gustavo Cruz (gcruz@phoenixintnl.com), Job Title: D365

Finance & Operations Developer, User Department: Information
Technology. User has no admin roles assigned.

Where: Application name: Platzi

When: The incident was triggered on 2024-11-08T22:23 UTC.

What Happened: The incident was triggered when the new volume app
policy enforced by PTI was triggered on the application Platzi. The users
downloaded 2.4 GB of data and uploaded 4 MB of data in the last 30 days.
The analyst did not find suspicious activity.

Response: The analyst will email the PTI team and request them to please
mark the app by following the link as sanctioned, unsanctioned, or monitored
per company policy. The CyberMSI team will take further response actions
based on the PTI response if required.

Updated Response: AIR completed its investigation with the verdict “No
threats found” on email and “Remediated” on user recipient. AIR on Device 1
has also completed investigating with the verdict “No threats found”. We will
close the incident as there is no further response action required for this
incident.