Investigating a compromised system on-premises
For the first scenario, we will use a machine that got compromised after the end user opened a phishing email that looks like the following:
Figure 14.6: Real example of a phishing email that was able to compromise a system
This end user was located in the Brazilian branch office; hence the email is in Portuguese. The content of this email is a bit concerning since it talks about an ongoing legal process, and the user was curious to see if he really had anything to do with it. After poking around within the email, he noticed that nothing was happening when he tried to download the email’s attachment. He decided to ignore it and continued working. A couple of days later, he received an automated report from IT saying that he accessed a suspicious site and that he should call support to follow up on this ticket.
He called support and explained that the only suspicious activity that he remembers was opening an odd...