Command Zero
Narration by Agent Zero
Mediumrun-87a017eb-a7ad-4636-9580-1d980bf4d5c0
Malicious
High confidence
  • phishing
  • email-spoofing
  • url-obfuscation
  • campaign-analysis
  • threat-intelligence

Sophisticated Phishing Campaign Using Spoofed Internal Emails and URL Redirection

A coordinated phishing campaign targeted multiple [ORG_1] employees using email spoofing, Google Maps URL redirects, and personalized tracking parameters. Investigation confirmed 19 similar emails with identical body fingerprints, indicating campaign-scale attack with no evidence of successful compromise.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
2m 31s
INVESTIGATION TIME
Autonomous
13
QUESTIONS ASKED
IPDATA, MICROSOFT 365 DEFENDER, MICROSOFT ENTRA, MICROSOFT EXCHANGE
5
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$133
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On January 2, 2026, user_1@[INTERNAL_DOMAIN_1].local reported a phishing email received on December 17, 2025 — a 16-day gap that exposed a critical detection blind spot. The email, with subject "Action Required: Signature Needed for Payment Processing," appeared to come from an internal sender but originated from [EXTERNAL_IP_1], a VPN endpoint in France hosted by OVH SAS. The phishing URLs employed sophisticated obfuscation: a Google Maps redirect (`maps.google.com.br/url?q=...`) masked the true destination (`evil-acme.com`), and a Base64-encoded tracking parameter in the URL fragment decoded to the victim's email address, revealing a targeted approach. Email cluster analysis identified 19 similar messages with identical body fingerprints (3869896793), confirming a coordinated campaign rather than a one-off attempt. Microsoft 365 Defender marked the URLs as malicious and remediated, but the incident remained in "inProgress" status with "pendingApproval" investigation state. While no successful compromise was detected, the campaign's sophistication and the extended window before reporting represent a significant security concern warranting enhanced email security awareness training.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be an account compromise?

Ruled out
Supporting Evidence
Email with subject 'Action Required: Signature Needed for Payment Processing' reported as phishing
Moderate
Supporting Evidence
Sender IP address [EXTERNAL_IP_1] identified as a VPN endpoint in France
Moderate
Supporting Evidence
Spoofed sender email matching recipient's address (user_1@[INTERNAL_DOMAIN_1].local)
Moderate
Dismissed:While the email contains suspicious elements that could indicate account compromise, there is no evidence that any account was actually compromised. The security alert was triggered by a user reporting a phishing email, not by successful unauthorized access. All evidence points to a phishing attempt that was detected and reported before compromise occurred.·High confidence
H2

Could this be suspicious activity?

Ruled out
Supporting Evidence
Application-based access to user_1's mailbox via REST API
Moderate
Supporting Evidence
Access originated from IP [EXTERNAL_IP_2] categorized as VPN
Moderate
Supporting Evidence
Application ID d3590ed6-52b3-4102-aeff-aad2292ab01c accessed specific email with financial subject line
Moderate
Dismissed:While the application-based access to a specific email with financial content initially raised concerns, the IP address [EXTERNAL_IP_2] is documented as an 'Authorized corporate VPN gateway - remote workforce' according to enrichment data. The application appears to be a legitimate Microsoft Office/Outlook integration accessing the mailbox through proper authentication channels. There is no evidence of unauthorized access or malicious post-authentication activities.·Medium confidence
H3

Could this be a false positive?

Ruled out
Supporting Evidence
No records found in Microsoft Defender XDR for email attachments, URL info, or email events for the reported message
Moderate
Supporting Evidence
16-day gap between email receipt (December 17, 2025) and incident creation (January 2, 2026)
Moderate
Supporting Evidence
Email reported by user rather than automatically detected by security systems
Moderate
Dismissed:The lack of records in Microsoft Defender XDR does not indicate a false positive. The phishing email was real and contained malicious URLs. The delay in reporting and the manual user report rather than automatic detection suggest security controls may have initially missed the threat, but this does not make the threat itself a false positive.·High confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

user report
Email with subject 'Action Required: Signature Needed for Payment Processing - [HASH_FRAGMENT_1]' reported as phishing
Microsoft 365 Defender Incident #38818
email header analysis
Sender email address (user_1@[INTERNAL_DOMAIN_1].local) spoofed to match recipient's address (user_1@[INTERNAL_DOMAIN_1].local)
Microsoft Entra Security Alert
threat intelligence
Sender IP address [EXTERNAL_IP_1] identified as a VPN endpoint hosted by OVH SAS in France
Methodology: IPData is a service providing lookup of information connected with an IP address. It exposes items like hosting organization, location, domain and many more. It also determines if the IP is within a category, such as VPN, TOR, proxy or reserved ranges. IP location data can be used when considering an unusual IP within a record. For instance, if a login record commonly shows an IP with a login of San Francisco, California and another is detected from Oakland, California, it is of less importance than a third login from Berlin the same day. Analysis of IP geolocation can help detect impossible travel or unusual access attempts. IP Information can also be useful in determining leads that are not worth following; for example, the known AWS or Microsoft IP addresses. This can reduce the scope of the investigation and reduce potential false paths for an investigator.
IPData Intelligence
URL analysis
Malicious URL using Google Maps redirect to mask destination: http://maps.google.com.br/url?q=http%3A%2F%2Fevil-acme.com%2Fcontact&sa=D&sntz=1&usg=AOvVaw02WyromupWuO-ZvDtceTbW#89efb2ea676275dc216848c8cd505629321e8dfb=[ENCODED_EMAIL_1]
Microsoft 365 Defender URL Analysis
encoded data
Base64-encoded tracking parameter in URL fragment ([ENCODED_EMAIL_1]) decodes to 'user_1@[INTERNAL_DOMAIN_1].local'
URL Analysis
campaign analysis
19 similar emails with identical body fingerprint (3869896793) identified in email clusters
Microsoft 365 Defender Email Cluster Analysis
temporal analysis
16-day gap between email receipt (December 17, 2025) and incident creation (January 2, 2026)
Microsoft 365 Defender Timeline Analysis
mailbox access log
Application-based access to the reported email in user_1's mailbox via REST API from IP [EXTERNAL_IP_2]
Microsoft Defender for Cloud Apps

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified the malicious nature of the URLs in the email
    Pass
  2. fp2
    Analyzed the email spoofing technique
    Pass
  3. fp3
    Evaluated the campaign scope and targeting
    Pass
  4. fp4
    Assessed the application-based mailbox access
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

PhishingEmailEmailSpoofingMaliciousURLDetectionEmailClusterAnalysis
TechniqueTacticContext
T1566.002
Phishing: Spearphishing Link
Initial AccessFlag emails with spoofed internal sender addresses originating from external IP ranges, especially VPN endpoints outside the organization's known infrastructure. Alert on URLs using redirect services (Google Maps, URL shorteners, etc.) to mask the true destination domain. Monitor for Base64-encoded or obfuscated tracking parameters in URL fragments that decode to user email addresses, indicating personalized targeting. Correlate emails with identical body fingerprints across multiple recipients to identify campaign-scale phishing attempts.
T1187
Forced Authentication
Initial AccessDetect sender address spoofing by comparing the From header address against the authenticated sender IP and mail server. Flag emails where the sender address matches the recipient's address, as this is a common social engineering tactic to create false trust. Implement DMARC, SPF, and DKIM validation to reject or quarantine spoofed emails before delivery. Monitor for emails originating from VPN endpoints that claim to be from internal users.
T1566.002
Phishing: Spearphishing Link
Initial AccessImplement URL sandboxing and detonation for emails containing redirect URLs (maps.google.com, bit.ly, etc.) that mask the final destination. Flag URLs with encoded parameters in fragments that decode to sensitive data like email addresses. Block or quarantine emails containing URLs to known malicious domains like evil-acme.com. Use Safe Links or equivalent URL rewriting to prevent users from directly accessing malicious destinations and to log click events for forensic analysis.
T1566.001
Phishing: Spearphishing Attachment
Initial AccessCorrelate emails by body fingerprint to identify campaign-scale phishing. When 19 or more emails share identical body content (fingerprint 3869896793), escalate to incident response immediately. Analyze the distribution pattern: if multiple employees received the same email, assess whether the targeting was random or selective. Cross-reference email clusters with user roles and departments to determine if the campaign targeted specific business functions (finance, HR, executive).

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. Email spoofing confirmed through header analysis showing sender address (user_1@[INTERNAL_DOMAIN_1].local) matching the recipient, originating from [EXTERNAL_IP_1], a VPN endpoint in France hosted by OVH SAS — inconsistent with legitimate internal infrastructure

2. Malicious URL obfuscation using Google Maps redirect (`maps.google.com.br/url?q=...`) to mask the true destination (`evil-acme.com`), with both URLs marked as malicious and remediated in security alerts

3. Personalized tracking via Base64-encoded parameter in the URL fragment decoding to the victim's email address, indicating targeted, deliberate campaign design rather than mass phishing

4. Campaign scale confirmed by email cluster analysis identifying 19 similar messages with identical body fingerprint

5. demonstrating coordinated, multi-target attack

6. Confidence is High rather than Confirmed because the 16-day detection delay and lack of Microsoft Defender XDR records for email events, attachments, and URL info suggest security controls initially missed the threat, leaving a gap in telemetry that could obscure other indicators of compromise or post-delivery interaction

Lessons

  1. 01
    Detection delay is the real threat, not just the email. This investigation revealed a 16-day gap between email receipt (December 17, 2025) and user report (January 2, 2026). During that window, 19 similar phishing emails targeting multiple employees went undetected by automated systems. The email was eventually marked malicious and remediated, but the delay meant the attack had maximum time to succeed. Audit your email security controls: if users are the primary detection mechanism, you've already lost. Implement email cluster analysis and body fingerprint correlation to catch campaign-scale phishing automatically, and set alerts to trigger when identical emails reach multiple users within hours, not days.
  2. 02
    URL obfuscation + personalization = high-confidence targeting. The attacker used a Google Maps redirect to hide the destination (evil-acme.com) and embedded a Base64-encoded tracking parameter containing the victim's email address. This combination signals deliberate, targeted attack, not mass phishing. The personalization suggests the attacker had prior knowledge of the target's email address and crafted the campaign specifically for [ORG_1]. When you see redirect URLs with encoded user identifiers, treat it as evidence of reconnaissance and intent. Escalate immediately and check for other indicators of compromise in the target's mailbox and authentication logs.
  3. 03
    Email spoofing from external IPs is still spoofing. The phishing email claimed to come from user_1@[INTERNAL_DOMAIN_1].local but originated from [EXTERNAL_IP_1], a VPN endpoint in France. DMARC, SPF, and DKIM should have caught this, but the email was delivered. Verify that your email authentication policies are enforced at the gateway and that spoofed internal addresses are rejected or quarantined, not delivered. If legitimate internal users send from external IPs (remote work, travel), use a separate authentication flow or require additional verification before delivery.
  4. 04
    Campaign scope changes the investigation priority. Email cluster analysis identified 19 similar emails with the same body fingerprint. This transforms the investigation from 'one user got phished' to 'we have a coordinated campaign targeting multiple employees.' When you discover campaign-scale phishing, immediately: (1) identify all recipients, (2) check mailbox access logs for clicks or credential entry, (3) review authentication logs for the targeted users during the 16-day window, and (4) assess whether the attacker gained any foothold. The 19-email cluster is your signal to escalate to incident response, not just security awareness training.