Not every incident starts with an alert.
Sometimes it starts with a confident assumption.
In this case, a suspicious email spread internally. The user reported they did not send it, and the client confidently assessed the message as spoofing.
It wasn’t.
Email header analysis revealed the message originated from within the organization (
AuthAs: Internal) using legacy SMTP AUTH (
AuthMechanism: 04), an authentication pathway that does not enforce MFA. Valid credentials were used, no alerts were generated, and the activity appeared legitimate.
With limited visibility, the investigation required correlating endpoint and infrastructure telemetry. Pivoting on domains associated with file retrieval revealed additional impacted systems beyond those initially reported.
The incident exposed gaps in both detection and control coverage. Mailbox forwarding rules enabled data exfiltration and were managed reactively rather than preventively, while authentication-based detection failed due to legitimate credential use. When questions arose around credential origin, validation had to be guided within the client’s own environment while maintaining privacy and access boundaries.
This talk provides practical guidance for defenders, including how to:
- distinguish spoofed emails from authenticated internal activity using header analysis
- identify authentication pathways where MFA is not enforced
- pivot on DNS and endpoint telemetry to expand incident scope
- detect and reduce risk from mailbox forwarding rules
- validate potential credential exposure within appropriate privacy and access boundaries
- investigate effectively when activity appears legitimate and generates no alerts
Attendees will leave with practical approaches for identifying and responding to attacks that bypass traditional detection by blending into expected behavior.
