Investigation

Case Studies

Sanitised write-ups of real investigations from enterprise SOC work. Details have been anonymised. Techniques, tooling, and decision-making are accurate.

All identifying details have been removed. Techniques, tooling, and investigation logic are representative of actual work.
Case 01
The Phishing Email That Bypassed Every Filter
A targeted phishing email reached a finance employee by abusing a trusted cloud storage provider's sending infrastructure, bypassing SPF, DKIM, and DMARC checks. The detection gap, investigation, and remediation are documented here.
Phishing Email Security Detection Gap
Case 02
LOLBin Execution via mshta.exe Spawned from Word
A macro-enabled Word document spawned mshta.exe to execute a remote HTA payload. The attack was stopped at execution, but the investigation revealed how close the attacker got to establishing persistence.
Malware LOLBin Macro Execution
Case 03
Email Bombing Used as a Distraction During Account Compromise
A finance employee's inbox was flooded with thousands of newsletter subscriptions. While IT was fielding complaints, the attacker was using the employee's credentials to access financial systems. The timing was not a coincidence.
Account Takeover Email Bombing Distraction Tactic