Malicious URL access detected means when a user or host attempts a connection to a malicious website, like phishing pages, malware, or command-and-control (C2) infrastructure.
This access is flagged as a security concern; hence, immediate investigation is required to prevent potential breaches.
The Discovery:
Ravi started hurryingly from home to the office as his shift timings started; he also needed mocha coffee at the beginning of his shift, so he grabbed a coffee from the work cafe and opened the dashboard. One particular offense catches his eye among the routine alerts: "Malicious URL accessed by a user account."
The Investigation:
The rule flagged a scenario where a user accessed a URL known for hosting malicious content or malware category URL. A quick lookup revealed the URL was part of a malware category identified in free online scanning service tools.
- Malicious URL Category: Malware
- Malicious URL: http://free-rewards-now.com
- Time of Access: 10:32 AM
- User Account: lucy.k@company.com
- Source IP: 192.168.1.45
The URL had been identified in external threat intelligence feeds as a malware site that distributes malware disguised as reward offers.
Ravi also opened the site in isolation and checked it; this site asked for credentials. This site provides coupons or offers.
He also analysed the site and considered how the user might connect.
Does any email have this site?
He checked the logs on the URL; he found the IP for this URL hosted,
You can find out by pinging this URL from cmd or searching in Censys search, url void, etc.
He checked the logs of the remote IP; he observed Lucy's events that she accessed this malicious URL.
The Possible Culprits:
- Phishing Attack: The malicious URL was embedded in a fake promotional email.
- Malware Delivery: The URL likely hosted a payload designed to infect the user's system.
- Users may click this link for coupons
- Command-and-Control: The URL may have been part of a C2 server network.
The Attack:
This attack is observed because the URL is a malicious category with a risk of 10.
Ravi observed this URL is allowed on the proxy,
- He clicked the link, which redirected him to a webpage, prompting him to "Enter his details."
If the user provides the organisation credentials, this seriously impacts the organisation, as user credentials leak.
After checking the email gateway logs, Ravi found a mail with a free coupon subject.
Further checking on the particular subject, only Lucy got this mail from the malicious sender.
Response:
Ravi immediately followed the incident response protocol: This incident was assigned to relevant teams.
- Containment Phase:
- Blocked the URL at the proxy level to prevent further access.
- Blocked the IP at the firewall level to prevent further access
- Immediate Password reset
- Isolated Lucy's workstation from the network.
- Eradication Phase:
- Checked Lucy's workstation for any signs of malware infection.
- The AV team scanned the host; no detections or traces were found on the antivirus.
- The observed malicious URL was added to the organisation's blocklist to prevent future access.
- The observed remote IP was added to the organisation's blocklist to prevent future access.
- Lessons Learnt:
- Recommended enabling advanced email filtering to detect similar phishing attempts.
- Updated threat intelligence feeds to monitor similar malicious domains.
- Educated Lucy on recognising phishing emails and safe browsing practices.
Rule Logic Reference:
This rule can be written two ways
1) To detect when the URL is malicious
1) IF (Log Source = "Web Proxy Logs")
AND (URL Category = "Malicious")
AND(Confidence of risk/reputation > 75)
AND (Access Attempt = "Successful/Blocked")
THEN Trigger an Alert
2) To detect when the destination IP is malicious
IF( Log Source = "Firewall")
AND (Access Attempt = "Successful / Permit)
AND when destination IP is categorized by X-Force as [Anonymization Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with confidence value >75
Tip:
Monitoring this below condition enhances security :
Detect when this URL is categorized by X-Force as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating]
Ravi got applause, felt very happy for remediating this and slept that day without any worries.
