Anatomy of a Real Phishing Attack: How Defentive Detected and Stopped It in Action

defentive.medium.com · Defentive Threat Research · 7 months ago · research
quality 9/10 · excellent
0 net
Tags
phishing attack defensive
Anatomy of a Real Phishing Attack: How Defentive Detected and Stopped It in Action | by Defentive - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Anatomy of a Real Phishing Attack: How Defentive Detected and Stopped It in Action Executive Summary Defentive Follow ~4 min read · August 27, 2025 (Updated: August 27, 2025) · Free: Yes Executive Summary On August 1, 2025, Defentive's detection stack intercepted a live phishing attempt targeting a user with a well-crafted HR-themed lure. The attacker impersonated an internal HR manager and delivered a phishing link masked as a SharePoint login to harvest credentials. Our behavioral detection logic identified the suspicious browser spawn from a high-risk parent process, triggering alerts even before any form submission. This case study walks through the entire kill chain — from email delivery to credential submission — along with POST request traces, and internal detection logs from Defentive's infrastructure. Attack Timeline Phishing Email Analysis The email, titled "Employees/Staff Performance, Compensation and Payroll Update for 2025," appeared to come from an HR official. It contained grammatical errors ("administracion", "quaterly"), fake urgency ("sections highlighted in yellow are deductions due to poor performance"). The intent was clear: instill fear, prompt urgent review, and lead the user to a phishing link disguised as a salary review document. MITRE ATT&CK Mapping: T1566.002 — Spearphishing Link T1585.001 — Spoofing Legitimate Services (SharePoint) Phishing Page Hosted on Vercel The link redirected to: https[:]//sourcelist[.]vercel[.]app/#administracion@[TARGET_COMPANY][.]com The attacker cloned the SharePoint interface with high visual accuracy. The input field was pre-filled with the target's email, and the "Sign in" button simulated a login process. Once a password was entered, it triggered a JavaScript-based POST request. POST Request & Exfiltration Captured in browser DevTools, the credential was sent via a POST request to: [.]vercel[.]app/api/boss The response: { "status":true, "message":"Telegram notification sent successfully" } This clearly indicates credentials were being exfiltrated via Telegram API, a tactic increasingly used by phishing kits to bypass email-based detection systems and deliver data in real time. MITRE ATT&CK Mapping: T1056.001 — Input Capture: Credential Harvesting T1567.002 — Exfiltration to Cloud Storage or Messaging API Detections by Defentive Alert 1: Suspicious Browser Spawn Detection Rule: Suspicious browser launch via URL from high-risk parent process This alert was triggered by our parent-child process anomaly detection — identifying a non-browser process attempting to spawn Chrome/Edge with a suspicious URL. Alert 2: Known Phishing Domain Accessed Detection Rule: Highly abused Phishing domain This was detected via Defentive's threat intelligence correlation engine, which maintains a live feed of known phishing infrastructure, including fast-spawning Vercel apps. How Defentive Stopped It This attack was detected at two independent stages: Behavioral anomaly (browser spawned from suspicious parent) Network intel (domain in phishing database) Our detections are source-agnostic — meaning even if users click links from Gmail, WhatsApp, or Teams, Defentive monitors endpoint behavior to flag the anomaly in real time. Defentive Threat Research This incident is part of a broader pattern of phishing kits using: Legitimate frontends (e.g., SharePoint clones) Cloud providers like Vercel for ephemeral hosting Messaging APIs (Telegram, Discord) for stealth exfiltration Defentive's detection logic evolves through daily threat intelligence enrichment and telemetry correlation across client endpoints. Detection Rule IDs: 100501 — Suspicious browser launch via URL from high-risk parent process (possible phishing attempt) 100502 — Highly abused Phishing domain (possible phishing attempt) Appendix Indicators of Compromise (IOCs): sourcelist[.]vercel[.]app sourcelist[.]vercel[.]app/api/boss Telegram Notification Success in POST Response Protect Your Business with Defentive This real-world incident reinforces the importance of endpoint visibility and proactive threat detection, especially for SMEs with limited internal security teams. Defentive operates 24/7 to detect such threats before damage occurs, combining behavioral analytics, threat intelligence, and rapid response playbooks. Disclaimer: All screenshots have been anonymized. No client data is exposed. Analysis is based on a real detection handled within Defentive's environment. https://www.defentive.com/ #phishing #malware #cybersecurity #telegram Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories