NEW: Uncover the Latest Cyber Threats!
Stay ahead of evolving cyber threats. Download the H1 2025 Cyberseer SOC Threat Findings Report for insights on AiTM phishing, malware persistence, and more.
Introduction: A Phishing Attack Caught in Action
Phishing campaigns remain one of the most damaging cyber threats today, exploiting stolen credentials and impersonation tactics to bypass security controls. A recent incident involving one of Cyberseer’s customers highlighted the critical importance of real-time threat detection. Thanks to Cyberseer’s integration of industry-specific threat intelligence with Google SecOps and the CrowdStrike portal, the attack was identified and neutralised before any damage could occur. This blog outlines a step-by-step walkthrough of how our team detected, analysed, and responded to this high-severity phishing campaign.
Phase 1: Identifying the Suspicious Email
The first indication of a broad phishing campaign came from Cyberseer’s priority threat detection service, which flagged an email containing a subject line previously identified in an industry-specific threat intelligence feed the customer subscribes to. The intelligence included valuable context and a short keyword label – in this case “Phishing.”
Traditional email security solutions had missed the threat, allowing the email to land in inboxes undetected. However, Cyberseer’s custom threat intelligence integration with Google SecOps enabled immediate recognition of this phishing attempt. The customer received a large volume of emails with the same subject line, triggering an investigation. Upon further analysis of the sender details and email content, the emails were confirmed to be part of a phishing campaign.
Screenshot 1: Multiple Detections Triggered
This screenshot illustrates how multiple detections were flagged in a single day, all containing the same subject line, which matched a known phishing subject from a threat intelligence list.
Once the alert was raised, our analysts examined the email’s metadata and associated risk indicators to determine the level of threat. By leveraging real-time monitoring, Cyberseer’s detection rules identified the email’s characteristics as high risk, prompting immediate investigation.
Phase 2: Investigating the Indicators of Compromise (IoCs)
To validate the nature of the threat, Cyberseer’s team cross-referenced key indicators of compromise (IoCs) with existing threat intelligence. A deeper investigation revealed several red flags:
- The email originated from an unusual domain that failed Sender Policy Framework (SPF) validation, making it a likely spoofing attempt.
- Embedded links redirected to a fraudulent login page, designed to harvest credentials, mimicking a legitimate service.
- Additionally, the attached file contained an obfuscated PowerShell script, a technique commonly used in phishing attack campaigns.
Screenshot 2: Threat Intelligence Entry Matching the Phishing Email
The screenshot above highlights how Google SecOps automati
cally identifies the phishing attempt by cross-referencing it with known threat intelligence entries. The event logs display all relevant email metadata, including the sender, recipient, and message subject.
After analysing these factors, it became evident that the email was part of a known phishing campaign. This reinforced the urgency of escalating the incident before any users engaged with it.
Phase 3: Blocking the Threat and Preventing Account Compromise
Once Cyberseer confirmed the email as malicious, swift action was taken to neutralise the risk before employees could interact with it. Our security team implemented a series of containment measures:
- The sender domain and all associated URLs were blacklisted in the email gateway and endpoint security policies to prevent further attempts.
- Every instance of the email was automatically purged from inboxes, ensuring that no employee could inadvertently engage with the phishing attempt.
- Additionally, Cyberseer activated heightened monitoring for any unauthorised login attempts, reducing the possibility of credential compromise.
Phase 4: Enhancing Admin Oversight and Identity Security
Beyond stopping the immediate attack, Cyberseer worked proactively to strengthen identity security and prevent similar threats in the future. Using Google SecOps and CrowdStrike’s identity protection, our team implemented enhanced security measures:
- Privileged account activity was closely monitored to ensure that no admin credentials were misused following the phishing attempt.
- To further mitigate risk, adaptive MFA policies were enforced, requiring additional authentication for flagged users or unusual login attempts.
- Additionally, threat intelligence detection rules were refined to automatically escalate similar threats, making future detection even faster.
Screenshot 3: Homoglyph Attack Attempt
This screenshot demonstrates how the phishing sender used a homoglyph attack to impersonate Capital One, exploiting visually similar characters to create a deceptive email address. Homoglyph attacks rely on substituting characters from different alphabets or character sets that appear nearly identical to legitimate ones, making them difficult to spot. This technique is commonly used in phishing to bypass security filters and trick users into trusting fraudulent messages. By identifying this attack method, Cyberseer was able to block the threat and refine detection rules for similar patterns in the future.
The Key Takeaways: Why This Matters
Cyberseer’s proactive approach enabled rapid detection, containment, and mitigation of a high-severity phishing campaign. This case study highlights three key lessons:
- A well-integrated threat intelligence strategy enhances detection capabilities, ensuring industry-specific threats are identified faster.
- Combining multiple security layers, such as Google SecOps and CrowdStrike, provides a comprehensive shield against cyber threats.
- Finally, real-time detection and response are crucial, as they allow security teams to neutralise threats before they escalate into a full-blown breach.
How Cyberseer Helps Businesses Stay Ahead
Cyber threats are constantly evolving—so should your defences. Cyberseer partners with businesses to customise security solutions, ensuring threats are detected and neutralised before they can cause harm. Our priority threat detection service enables organisations to leverage real-time intelligence, automated detection rules, and expert analysis to stay ahead of attackers.
If you want to enhance your organisation’s identity security and stop threats before they escalate, get in touch with Cyberseer today.
