Threat Hunting with Email Security - LetsDefend 🔥

This write-up is based on a training scenario from LetsDefend and is shared for educational purposes only.

Hello everyone, I'm Fir (find me on LinkedIn). In this article, I'll share my threat hunting investigation based on an email security scenario from LetsDefend. In this lab, I analyzed suspicious emails, investigated malicious URLs, and correlated endpoint activity with threat intelligence. The goal was to understand how phishing emails can bypass defenses and lead to potential compromise.

🧠 Hypothesis

Attackers may use phishing emails with malicious domains and URLs to trick users into accessing attacker-controlled infrastructure, leading to potential compromise or malware execution.

Step 1 : Identifying Suspicious Email Campaign

I started by analyzing emails received from suspicious domains. This indicates that some potentially malicious emails bypassed email filtering.

Total emails from ".top" domains: 5
Emails with "Allowed" action: 2

Total emails from ".top" domains: 5
Emails with "Allowed" action: 2

Step 2 : Email Content Investigation

Next, I analyzed the allowed emails. This strongly suggests a phishing campaign using lure-based content.

Sender email: YouWon@chronocampaign.top
URL in email: http://chronocampaign.top/claim-your-gift-card

Sender email: YouWon@chronocampaign.top
URL in email: http://chronocampaign.top/claim-your-gift-card

Step 3 : User Interaction & DNS Activity

I then checked whether any internal system interacted with the malicious domain. This confirms that a user accessed the malicious URL.

Source IP querying the domain: 192.168.150.5
Firewall action: allow

Source IP querying the domain: 192.168.150.5
Firewall action: allow

Step 4 : Threat Intelligence Correlation

I correlated the domain and activity with threat intelligence. This indicates the campaign is linked to a known threat actor group.

Associated APT group: APT-SR-34

Associated APT group: APT-SR-34

Step 5 : Endpoint Process Analysis

Finally, I analyzed the endpoint activity during access.

Process involved: outlook.exe (Company Name: Unknown)

Process involved: outlook.exe (Company Name: Unknown)

MD5 hash attribution: APT-SR-34

MD5 hash attribution: APT-SR-34

This confirms that the activity is tied to the same threat group at both network and endpoint levels.

Conclusion

This investigation shows how phishing emails can bypass defenses and lead to user interaction with malicious infrastructure. By correlating email logs, DNS activity, and endpoint data, the activity was linked to a known APT group, highlighting the need for continuous monitoring beyond email filtering alone.

Thanks for reading! If you're learning threat hunting or improving your email security analysis skills, feel free to share your thoughts 👋 What topic are you exploring next? 🔥