soc-portfolio / investigations / thm-phishing-sim CLOSED — All TPs Identified
← Back to case log
✔ Case closed — 3 True Positives · 2 False Positives

THM SOC Sim — Phishing Investigation

Platform TryHackMe SOC Simulator SIEM Splunk Category Phishing / Email Analysis Date May 2025 Analyst Hossam Hashem

// What Happened

Got 5 alerts in the queue, all phishing-related. Mix of inbound email alerts and one firewall block. Went through each one to figure out what's real and what's noise.

// Alert Summary

Alert ID Rule Verdict
#8814 Inbound Email — Suspicious External Link False Positive
#8815 Inbound Email — Suspicious External Link False Positive
#8816 Access to Blacklisted URL — Blocked by Firewall True Positive
#8817 Inbound Email — Suspicious External Link True Positive
#8818 Inbound Email — Suspicious External Link True Positive

// Alert Breakdown

#8814 & #8815 — False Positives

Both were legitimate emails that happened to contain external links. #8814 was an HR onboarding email sent to a new employee (j.garcia), linking to hrconnex.thm — clean domain, no endpoint activity in proxy logs. #8815 was similar. The detection rule is too broad; it flags anything with an external link regardless of context.

#8817 & #8818 — True Positives

These were the real ones. #8817 was a fake Amazon delivery email pushing the recipient to click a bit.ly link under a 48-hour urgency threat. Sender domain didn't match Amazon's actual infrastructure. Ran the link through VirusTotal — flagged as phishing. Confirmed in Splunk proxy logs that the user actually clicked it: 

index=main sourcetype=proxy dest_domain="bit.ly"
| table _time, src_ip, dest_url, action

#8818 was the same pattern, different sender spoof.

#8816 — True Positive (firewall block)

This one made sense once I connected it to #8817. The user clicked the bit.ly link; the firewall caught it and blocked the outbound connection. So #8816 wasn't a standalone event — it was the follow-on from the phishing email being clicked. Always worth correlating firewall blocks with email alerts around the same timestamp.

// IOCs

TypeValue
URL http://bit.ly/3sHkX3da12340
Sender Spoofed Amazon look-alike domain
Destination Phishing site (flagged on VirusTotal)

// MITRE ATT&CK

T1566.002 — Spearphishing Link T1036 — Masquerading (spoofed sender)

// Key Takeaways

The main lesson here was not treating all 5 alerts the same. Two were noisy rules, three were an actual attack chain. The firewall block (#8816) only made sense after correlating it with the email timestamps — that's the kind of pivoting that matters in real triage.

bit.ly links in emails are almost always a red flag. Never trust a shortened URL in an unsolicited email.