{"id":472,"date":"2026-07-03T03:21:33","date_gmt":"2026-07-03T03:21:33","guid":{"rendered":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/?page_id=472"},"modified":"2026-07-03T03:39:06","modified_gmt":"2026-07-03T03:39:06","slug":"artifact-1","status":"publish","type":"page","link":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/artifact-1\/","title":{"rendered":"Artifact 1"},"content":{"rendered":"\n<p>ID 2093: Email reported by user as malware or phish involving one user<\/p>\n\n\n\n<p>Email reported by user as malware or phishing| alex.peprah@manytek.org | Malicious Email from IP Hong Kong| Malicious URL| QR code attachment | Block sender and delete email<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary:<\/h2>\n\n\n\n<p>On May 30, 2026 10:22 AM MSOC Team received an alert titled &#8220;Email reported by user as malware or phish involving one user&#8221;. the alert was triggered because the user Alex Peprah received suspicious email from The sender &#8220;security-alert@rnicrosoft.com&#8221; IP address &#8220;114.29.236.247&#8221; Located in Hong Kong.<\/p>\n\n\n\n<p>Domain has been reported as malicious by OSINT Tools. All 3 Authentication failed DMARC Compliant (No DMARC Record Found), SPF Authenticated, DKIM Authenticated. dynamic analysis showed that the 1st URL leads to a page that is not found. 2nd URL takes you to a regular Copilot page to personalize the feed. The QR code attachment Scan leads to the 2nd URL page which is not malicious.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5Ws<\/h2>\n\n\n\n<p>who: Alex Peprah<br>what: This alert is triggered when email from ecurity-alert@rnicrosoft.com is reported as malware or phish by users(Alex Peprah)<br>where : 2 Mailboxes<br>when: May 30, 2026 10:22 AM\ue77b<br>why: phishing email can compromise users\u2019 credentials which could lead to a further damage causing the whole network system to suffer.<\/p>\n\n\n\n<p>User Information:<br>Name: Alex Peprah<br>Job Title: Training Director<br>Department: Education &amp; Workforce Development<br>Manager: EMMANUEL DAMPTEY<\/p>\n\n\n\n<p>Email Information:<br>Senders Email address: security-alert@rnicrosoft.com<br>IP address: 114.29.236.247<br>Subject: Action Required: Office 365 Security Alert<br>Return path: security-alert@rnicrosoft.com<br>Email reported: May 30, 2026 2:22 PM<\/p>\n\n\n\n<p>IP Information: 114.29.236.247<br>Organization (ISP): cloudwebmanage platform<br>ASN: 64022<br>Hostname(s): emkei.cz<br>Domain Name: cloudwm.com<br>Country\/Region: aberdeen, hong kong<br>Carrier: kamatera inc.<br>This was reported 5 times. confidence of abuse is 0%<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK:<\/h2>\n\n\n\n<p>Category: Threat management<br>Techniques: T1566<br>Detection source: MDO<br>Service source: Office 365<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Action\/Recommendation:<\/h2>\n\n\n\n<p>Please verify with the user if they clicked on any link from the email. If yes, please reply immediately to us to find out what happened when the link was clicked so we can further investigate the damage. if the user didn&#8217;t then, it is recommended to block the sender and deleted the email from the inbox.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">OSINT Reference:<\/h2>\n\n\n\n<p>IP:<br>VirusTotal: 2\/91 security vendors flagged this IP address as malicious\/Phishing<br>https:\/\/www.virustotal.com\/gui\/ip-address\/114.29.236.247<\/p>\n\n\n\n<p>AbuseIPDB: This IP was reported 5 times. Confidence of Abuse is 0%<br>https:\/\/www.abuseipdb.com\/check\/114.29.236.247<\/p>\n\n\n\n<p>Domain<br>17\/91 security vendors flagged this domain as malicious<br>https:\/\/www.virustotal.com\/gui\/domain\/rnicrosoft.com<\/p>\n\n\n\n<p>Header<br>https:\/\/mxtoolbox.com\/Public\/Tools\/EmailHeaders.aspx?huid=48efb9ec-6c1a-4d47-b53e-7c178f386a6e<\/p>\n\n\n\n<p>URL<br>https:\/\/quik-apps.com.co\/ref<br>No security vendors flagged this URL as malicious<br>https:\/\/www.virustotal.com\/gui\/url\/98db72fa6f9a47e5f1213c6149588c501078fd70e3c4a5149fc49e9150da3776<\/p>\n\n\n\n<p>https:\/\/www.google.com\/url?q=amp\/apis.google.com%252Fadditnow%252Fl%253FapplicationId%253D1%2526__ls%253Dogb%2526__lu%253Dhttps%253A%252F%252Fmilkujeans.com.py\/redirect=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJjYW1wYWlnbklkIjoiNWFiYmY2MjQtOTc3ZC0xMWVmLWJhZWItMjk2ZWI2NWZmZDY2IiwiZW1haW-oner2\/%253Femail%253DYW5uaWtraS5kZWxhY2V5QGNvbG1hcmJydW50b24uY28ubno=<\/p>\n\n\n\n<p>No security vendors flagged this URL as malicious<br>https:\/\/www.virustotal.com\/gui\/url\/e298e40513ebf34756259e2fd31b24e50f72cc4cb84c04f90e9ab787bdf9614e<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ID 2093: Email reported by user as malware or phish involving one user Email reported by user as malware or phishing| alex.peprah@manytek.org | Malicious Email from IP Hong Kong| Malicious URL| QR code attachment | Block sender and delete email Summary: On May 30, 2026 10:22 AM MSOC Team received an alert titled &#8220;Email reported&#8230; <\/p>\n<div class=\"link-more\"><a href=\"https:\/\/sites.wp.odu.edu\/dolmacyse201\/artifact-1\/\">Read More<\/a><\/div>\n","protected":false},"author":29732,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/pages\/472"}],"collection":[{"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/users\/29732"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/comments?post=472"}],"version-history":[{"count":2,"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/pages\/472\/revisions"}],"predecessor-version":[{"id":507,"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/pages\/472\/revisions\/507"}],"wp:attachment":[{"href":"https:\/\/sites.wp.odu.edu\/dolmacyse201\/wp-json\/wp\/v2\/media?parent=472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}