Advent of Cyber DAY 12


🛡️ Spotting Phishing Emails: A SOC‑mas Survival Guide

Introduction

Since McSkidy’s disappearance, The Best Festival Company (TBFC) has been operating under reduced security visibility. Unfortunately, the Email Protection Platform is temporarily offline, forcing employees to manually review suspicious emails.

Threat intelligence reports suggest that Malhare’s Eggsploit Bunnies are actively distributing phishing emails across the organisation. These messages are designed to steal credentials, deliver malware, and disrupt SOC‑mas operations.

You’ve now joined the Incident Response Task Force, responsible for identifying malicious emails and protecting TBFC staff from deception.

Welcome to the mission.

🎯 Learning Objectives

By completing this task, you will learn how to:

  • Identify phishing emails accurately

  • Recognise modern and trending phishing techniques

  • Understand the difference between spam and phishing

🔍 Understanding Phishing Emails

What Is Phishing?

Phishing is one of the most effective and persistent cyberattacks. Even as technology improves, attackers continuously adapt their tactics to impersonate trusted people, services, and platforms.

Common phishing objectives include:

  • Credential theft

  • Malware delivery

  • Data exfiltration

  • Financial fraud

Phishing exploits the most difficult vulnerability to patch: human trust.

📩 Spam vs. Phishing

Not all unwanted emails are dangerous.

Spam

  • Annoying but usually harmless

  • Marketing messages, promotions, clickbait

Phishing

  • Targeted and deceptive

  • Designed to steal data or gain access

Understanding this distinction helps prevent unnecessary panic while ensuring real threats are escalated.

🎄 Common Phishing Techniques

1️⃣ Impersonation

Attackers pretend to be trusted individuals, departments, or services.

Example:
An email claiming to be from McSkidy requesting VPN access, but sent from a personal email address.

Red flags:

  • Sender domain doesn’t match the organisation

  • Unexpected requests for credentials

2️⃣ Social Engineering

Attackers manipulate emotions such as urgency, fear, or curiosity.

Common signs:

  • Urgent language (“act now”, “immediate action required”)

  • Requests to bypass normal communication channels

  • Pressure to provide sensitive information

3️⃣ Typosquatting and Punycode Domains

Attackers register deceptive domains that look legitimate.

  • Typosquatting: glthub.com instead of github.com

  • Punycode: Unicode characters that resemble Latin letters

These domains are often used to host fake login pages.

4️⃣ Email Spoofing

Spoofed emails appear to come from legitimate senders.

Always verify:

  • SPF

  • DKIM

  • DMARC

  • Return‑Path

Failure in these checks strongly indicates spoofing.

5️⃣ Malicious Attachments

Attachments disguised as legitimate files can contain malicious scripts.

Example:
An HTML file pretending to be a voice message or document preview.

📈 Trending Phishing Techniques

As security controls improve, attackers adapt.

Modern phishing campaigns often involve:

  • Trusted platforms (OneDrive, Google Docs, Dropbox)

  • Redirection to fake login portals

  • Attractive offers (laptop upgrades, salary adjustments)

Fake Login Pages

Attackers clone familiar login services like:

  • Microsoft 365

  • Google Workspace

A domain may look legitimate but differ slightly on closer inspection.

Side‑Channel Communication

Some attackers move conversations off email to:

  • SMS

  • Messaging apps

  • Phone calls

Once outside corporate systems, security protections are reduced.

🎁 Mission Results: Saving SOC‑mas

After reviewing all suspicious emails, the Incident Response Task Force successfully identified each message.

✅ Classification Results

1️⃣ THM{yougotnumber1-keep-it-going}
2️⃣ THM{nmumber2-was-not-tha-thard!}
3️⃣ THM{Impersonation-is-areal-thing-keepIt}
4️⃣ THM{Get-back-SOC-mas!!}
5️⃣ THM{It-was-just-a-sp4m!!}
6️⃣ THM{number6-is-the-last-one!-DX!}

🏁 Conclusion

Phishing remains one of the most dangerous threats because it targets human behaviour, not technology. By understanding attacker techniques and validating email authenticity, organisations can significantly reduce their risk.

SOC‑mas is safe — for now.

Stay alert. Stay curious. Always verify.


Comments

Post a Comment

Popular Posts