Powerful Pivots: From a Single Phish to a Full Campaign

Every reactive investigation is an opportunity to build a proactive hunt. Let’s take a real-world phishing email (a “Ledger” phish) and show how to pivot “upstream.”

The Reactive Clues: The investigation starts with email headers.

We find IPs like 149.72.223.116 and 159.183.183.61, which indicate compromised SendGrid accounts. Using PTR (reverse DNS) records helps identify the sender, but this is all after-the-fact analysis. The malicious link itself was ledger-recovery-app[.]com. 

The Proactive Pivots: Instead of stopping, we use that domain as our first “thread” to pull. 
Content Pivot: We can hunt for other sites that share the same characteristics. A simple query can find all domains that also have an HTML Title of “Are you human?” and a URL that contains “ledger”.

This immediately widens the net. 

Domain/WHOIS Pivot: We can hunt for similar domains before they’re armed. Attackers use predictable patterns.

We can build a proactive query to find all domains where:  Domain is one of: ledger-*-*.com OR *-ledger-*.com  AND  Registrar is: Amazon Registrar, Inc.  This query finds domains the moment they’re registered, long before they’re ever used in an email campaign.

Try this example yourself using our free Community Edition: