Phishing Campaign Analysis — Q1 2024

Summary

Analysed 1,248 phishing emails reported by employees in Q1 2024. Clustered by lure theme, sender infrastructure, and URL patterns to identify recurring actors and prioritise defensive tuning.

Method

• Extracted indicators (domains, IPs, hashes) from reported samples using a PowerShell parser and MSTICPy.
• Enriched via VirusTotal, urlscan.io, and AbuseIPDB.
• Grouped by campaign using Jaccard similarity on subject lines, URL paths, and sender domains.

Key Findings

• 62% of volume came from just 3 campaigns — all impersonating HR or finance portals.
• Attacker infrastructure heavily leaned on compromised WordPress sites as redirect layers.
• A single Telegram bot API endpoint appeared in 40% of credential-harvesting pages.

Impact & Action

• Blocklisted 87 domains, 23 IPs, and 12 hash patterns at the email gateway.
• Updated user awareness content focused on the top 3 observed lures.
• Click-rate on simulated phishing dropped from 9.1% → 4.3% over two months.

Deliverables

• Executive summary deck
• IOC bundle (STIX 2.1)
• Tuning recommendations for email gateway and EDR