Event ID: 304 Rule Name: SOC326 – Impersonating Domain MX Record Change Detected Severity: HIGH Category: Brand Protection / Phishing Event Time: September 17, 2024 – 12:05 PM Impacted Asset: LETSDEFEND Background Sometimes attackers don’t kick the door down — they quietly make a copy of your house key first. In this case, the threat actor registered a look-alike domain and configured email infrastructure before launching a phishing campaign. What initially appeared to be an early warning quickly escalated into active exploitation, resulting in a user clicking a malicious link and communicating with attacker-controlled infrastructure.