NOBELIUM - wide scale APT29 spear-phishing
On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: - Collect IOCs to be used in your threat hunting process - Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts - Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Rapid Breach Response · 34 tasks · 4 inputs · 0 outputs
Inputs
EWSSearchQuery— The EWS query to find malicious emails related to NOBELIUM spear-phishing.BlockIndicatorsAutomatically— Whether to automatically indicators involved with NOBELIUM spear-phishing.UserVerification— Possible values: True/False. Whether to provide user verification for blocking IPs. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.AutoBlockIndicators— |- Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.
Commands used
ews-search-mailbox
extractIndicators
setIndicators