Artifact no.2

ID 2133: Email reported by user as malware or phish involving one user

Summary:

On Jun 4, 2026 5:51 PM MSOC received an alert titled “Email reported by user as malware or phish involving one user”. The alert was triggered because User John Wayne received a malicious/Phishing email.

all three authentication of the header failed.
DMARC Compliant: Failed
SPF Authenticated: Failed
Authenticated: Failed
Domain is declared as non malicious by OSINT Tools. Domain has been in existence for 2 years. the body of the email was Creating an urgency with the “Subject[INIT]Action Required: Your ManyTek Account Will Be Suspended in 24 Hours”.

Red flags:
Addressing the user as “ManyTek Analyst”
Wrong date, the email was received on Jun 4, 2026 5:51 but in the email the sender mentioned ” 3 failed login attempts on your account from IP 91.108.4.180 and 185.220.101.47 on June 5, 2026 at 14:17 UTC”. Unusual email format such as a huge gap in the line without finishing a sentence and continuing in the next line trying to create an urgency again by mentioning “You must verify your identity within 24 hours, or your account will be permanently suspended” again. email contains 6 URLs;
first URL is declared by OSINT Tool. on sandbox it asked us to download the File named “Screenconnect.ClientSetup.msi”

2nd URL is declared malicious by OSINT Tools. Dynamic Analysis leads to a page with the IP address 185.22.101.47 The webpage was not found. checked the IP address resulting Malicious by OSINT Tool with the confidence of abuse being 100%.

QR Code 3rd URL was classified as malicious by OSINT however Dynamic analysis leads to a page called of a company called bid&tenders asking the user to enter his email to bid, 6 month old no way to prove if it is legit or not. which lead to a document in DocuSign which u can’t see cause it’s blureed out and u received a code
Dynamic Analysis Report suggest it could be highly malicious giving it the score of 8/10 pn behavioral1 suggesting possible Tactic Defense Evasion and Discovery.

4th URL
was classified as malicious by OSINT Tools leads to the same website as 3rd URL but directs you to one drive shared document from there it directs you to a Microsoft login page saying they will senf you code but give place to enter the code only leaving the option to put down you password

5th URL
isn’t classified as malicious by OSINT Tools leads to a non profit organization.

6th URL
detected as malicious by OSINT Tools leads to a page that doesn’t exist anymore.

ManyTek_Security_Incident_Report_Jun2026.docx Attachment
alert report with the same content as the email. asks user to enable the macros by clicking “Enable Content” in order to restore the users account access.

Alert Details:
who: John Wayne
what: This alert is triggered when any email message is reported as malware or phish by user
where: 2 Mailboxes
when : Jun 4, 2026 5:51 PM
why: phishing email can compromise users’ credentials which could lead to a further damage causing the whole network system to suffer.

User Info
Name: John Wayne
Email: john.wayne@manytek.org
Job Title: Offshore Developer
Department: Engineering
Mgr: EMMANUEL DAMPTEY

Email Info:
Recipient(s): john.wayne@manytek.org
Sender address: soc@manytek.org
Time received: Jun 4, 2026 5:39 PM
Latest delivery location: Inbox/folder
Subject [INIT]Action Required: Your ManyTek Account Will Be Suspended in 24 Hours
Return-Path and Reply to: soc@manytek.org

MITRE ATT&CK :
Category: Threat management
Techniques: T1566
Detection source: MDO
Service source: Office 365

User Info

Name: John Wayne
Email: john.wayne@manytek.org
Job Title: Offshore Developer
Department: Engineering
Mgr: EMMANUEL DAMPTEY

Action/Recommendation:
Please verify with the user if they clicked on any link from the email. If yes, please reply immediately to us to find out what happened when the link was clicked so we can further investigate the damage. if the user didn’t then, it is recommended to block the sender and deleted the email from the inbox.