SOC326 Case Study: Impersonating Domain MX Record Change Leading to Active Phishing Campaign
Event ID: 304
Rule Name: SOC326 – Impersonating Domain MX Record Change Detected
Severity: HIGH
Category: Brand Protection / Phishing
Event Time: September 17, 2024 – 12:05 PM
Impacted Asset: LETSDEFEND
Background
Sometimes attackers don’t kick the door down — they quietly make a copy of your house key first.
In this case, the threat actor registered a look-alike domain and configured email infrastructure before launching a phishing campaign. What initially appeared to be an early warning quickly escalated into active exploitation, resulting in a user clicking a malicious link and communicating with attacker-controlled infrastructure.
Incident Analysis Summary
| Field | Analysis |
|---|---|
| Alert Name | SOC326 – Impersonating Domain MX Record Change Detected |
| Severity | High (Confirmed Phishing Activity) |
| Event ID | 304 |
| Event Time | Sep 17, 2024 – 12:05 PM |
| Impersonated Domain | letsdefwnd[.]io |
| MX Record | mail.mailerhost.net |
| Alert Source | no-reply@cti-report.io |
| Alert Verdict | True Positive |
1. Alert Overview
The alert was generated by Digital Risk Protection after detecting a Mail Exchange (MX) record change on a suspicious domain closely resembling the legitimate letsdefend.io domain.
The impersonating domain letsdefwnd[.]io (typosquatting via character substitution: e → w) was configured with a valid mail server (mail.mailerhost.net), strongly suggesting preparation for email-based phishing.
At the time of alert creation, no confirmed phishing email had yet been identified.
2. Detection & Verification
Initial triage involved reviewing the notification email received by the SOC:
- Sender: no-reply@cti-report.io
- Recipient: soc@letsdefend.io
- Email Content: Informational security alert
- Attachments: None
Conclusion at this stage:
The alert email itself was malicious, and the domain infrastructure change warranted deeper investigation.
3. Incident Analysis
Timeline Progression
September 17, 2024
- MX record change detected for letsdefwnd[.]io
- Alert raised as early warning
September 18, 2024
- A phishing email was observed in Email Security logs
- Campaign escalated from preparation to active exploitation
Phishing Email Discovery
A search in the Email Security tab revealed a phishing email sent one day after the alert:
| Field | Value |
|---|---|
| Sender | voucher@letsdefwnd[.]io |
| Recipient | mateo@letsdefend.io |
| Subject | Congratulations! You’ve Won a Voucher |
| Delivery Status | Allowed |
| Timestamp | Sep 18, 2024 – 08:00 AM |
The email leveraged social engineering and urgency, enticing the user to click a button claiming a limited-time voucher reward.
Malicious URL Identified
- Embedded Link: hxxp://letsdefwnd[.]io/
- Contains URL: Yes
This confirmed that the impersonating domain was being actively used for phishing.
4. URL & Infrastructure Analysis
OSINT & Sandbox Review
- VirusTotal (URL): Initially appeared clean
- Talos: Unknown reputation
- URL resolution: Intermittent / unstable
Despite mixed OSINT results, further investigation showed real-world exploitation, proving the domain was malicious in practice.
Network & Endpoint Evidence
Log correlation revealed successful communication between the victim endpoint and attacker infrastructure:
| Field | Value |
|---|---|
| Source IP | 172.16.20.3 (Internal) |
| Destination IP | 45.33.23.183 |
| Destination Port | 25 |
| Time | Sep 18, 2024 – 08:00 AM |
EDR telemetry confirmed:
- User clicked the phishing link
- Outbound traffic to 45.33.23.183
- IP flagged by multiple intelligence sources for spam, phishing, and malicious activity
5. Reputation & Threat Intelligence
Domain Intelligence
- Registrar: Sav.com, LLC
- Registrant: Privacy Protection (Redacted)
- Domain Status: clientTransferProhibited
- DNS Servers: ns1.giantpanda.com, ns2.giantpanda.com
IP Reputation
45.33.23.183
- Flagged by VirusTotal vendors
- Reported on AbuseIPDB for phishing and spam
- Observed as C2 / phishing infrastructure
6. Indicators of Compromise (IOCs)
| Category | Value |
|---|---|
| Phishing Domain | letsdefwnd[.]io |
| Malicious URL | hxxp://letsdefwnd[.]io/ |
| Sender Address | voucher@letsdefwnd[.]io |
| MX Record | mail.mailerhost.net |
| C2 / Infra IP | 45.33.23.183 |
| Additional IPs | 72.14.178.174, 45.33.30.197, 173.255.194.134 |
7. MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Phishing | T1566 |
| Resource Development | Acquire Infrastructure | T1583 |
| Credential Access | Phishing for Information | T1566.002 |
| Command & Control | Application Layer Protocol | T1071 |
8. Response & Containment Actions
Immediate actions taken:
- Phishing email deleted from recipient mailbox
- Affected endpoint contained via EDR
- Malicious domain and IP blocked at perimeter controls
- Artifacts added to IOC watchlists
9. Final Assessment
Verdict: True Positive
Threat Status: Active phishing campaign confirmed
What began as an MX record change alert evolved into a fully executed phishing attack, validating the effectiveness of early domain monitoring. The attacker successfully delivered a phishing email, convinced the user to click the link, and established communication with malicious infrastructure.
Lessons Learned
- MX record changes are a critical early indicator of phishing campaigns
- Typosquatting remains highly effective against internal users
- OSINT “clean” results do not equal benign activity
- Domain monitoring must be paired with email and endpoint telemetry
- User awareness training remains essential
Analyst Note
On September 17, 2024, a Digital Risk Protection alert (SOC326) was triggered after detecting a Mail Exchange (MX) record change on the domain letsdefwnd[.]io, which closely resembles the legitimate letsdefend.io domain. The MX record was updated to mail.mailerhost.net, indicating that the domain had been configured to send and receive email and could be used for phishing activity.
Initial review of the alert email from no-reply@cti-report.io confirmed that the notification itself was informational and did not contain any attachments or URLs. However, due to the typosquatting nature of the domain and the presence of an active MX record, the alert was treated as a high-risk early warning indicator.
Further investigation in the Email Security logs identified a phishing email delivered on September 18, 2024, one day after the alert was generated. The email originated from voucher@letsdefwnd[.]io and was sent to an internal user (mateo@letsdefend.io). The message contained an embedded hyperlink pointing to hxxp://letsdefwnd[.]io/ and used social engineering tactics to entice the recipient with a fake voucher offer.
Endpoint and network telemetry confirmed that the user clicked the malicious link, resulting in outbound communication to 45.33.23.183, an IP address associated with phishing and malicious activity based on threat intelligence sources. This confirmed that the impersonating domain was actively weaponized and no longer in a preparatory phase.
The phishing email was deleted, the affected endpoint was contained for further investigation, and the malicious domain and associated IP addresses were blocked at perimeter security controls.