This article walks through a SOC (Security Operations Center) case from LetsDefend.io where a user receives a suspicious email offering a free Windows 11 upgrade. The tutorial centers on investigating and responding to this incident.
Case Study on SOC338 and Luma Stealer Detection
We begin with an incident investigation using LetsDefend.io, where a user named Dylan received a suspicious email promising a free upgrade to Windows 11. This offer is identified early on as a social engineering trick, a classic phishing attempt aimed at tricking users into downloading malware.
Dissecting the Phishing Email
The attacker masqueraded as “update@windows-update.com” and embedded multiple “Update Now” buttons to lure the user into clicking. Upon inspection, the link pointed to a suspicious domain that mimicked Microsoft’s update site. Analysts are shown how to parse emails—checking headers, SMTP origin IP, and delivery timestamps—to extract key metadata and assess legitimacy.
Payload Delivery and Execution Behavior
Dylan’s interaction with the link led him to download an executable that disguised itself as a Windows 11 upgrade. Logs revealed that shortly after accessing the phishing domain, a command-line process (mshta) was launched, suggesting the execution of the downloaded malicious file—Luma Stealer. This malware harvests sensitive user data and communicates with a Command and Control (C2) server.
Investigating Endpoint Activity
The video demonstrates real-world SOC procedures to confirm infection: checking terminal and browser history, identifying initiated processes, and analyzing DNS and IP-level traffic. No attachments were present in the email, but multiple URLs were flagged. Since the phishing site was down, threat intelligence databases were used to retrieve past behavior, confirming it as a phishing operation.
Using Threat Intelligence and Analysis Tools
With tools like Any.run and threat intel platforms, the analyst inspects the site’s historical behavior—inspecting HTTP headers, network activity, and download attempts. This helped classify the site as malicious even without real-time interaction.
Containment and Host Remediation
The analyst then proceeds to contain Dylan’s machine: deleting the phishing email, identifying the downloaded malware file (mellow.mp4), and ensuring all traces are erased from startup, temp, and registry directories. Recommendations include running antivirus scans and restoring from a secure backup.
IOC Documentation and Case Closure
The final step involved gathering all Indicators of Compromise (IOCs)—email address, domains, IPs, and URLs—and registering them in the LetsDefend platform. This action supports broader threat intelligence sharing and future detections.
Key Learning Objectives for Analysts
Throughout, the article imparts critical knowledge: how to handle phishing campaigns from detection to remediation, how to cross-check infrastructure with intelligence tools, and how to methodically analyze email-based threats using a SOC playbook. The goal is to equip viewers with the confidence and tools to navigate real-world security incidents.
