Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=mimecast-cases

Mimecast case studies

API Email

The Sophos MDR team escalated the following case for Mimecast.

The case

On February 6, 2024, the Sophos MDR team received a cluster of security alerts from Mimecast. The alert type is 'Default URL Def' mapped under the MITRE ATTACK Technique as 'Spearphishing Link'. We observed the activity was 'unactioned' (original alert action: allowed) by the alerting security control. MDR investigation observed user@domain[.]com associated with host User-LT receiving an email with the subject heading 26 hours a day now possible in 24 - Wiz kid shares his secret originating from email address no-reply@xpressim[.]com with the external IP address 141[.]193[.]71[.]8. The URL for this alert was hxxps[://]jharedcruzada[.]myclickfunnels[.]com/_tracking/email_click/broadcast/NPobBO?contact_id=BqlnPlG&url=hxxps%3A%2F%2Flevelup[.]go2im[.]com%2Foffer.

OSINT on the alerting URL myclickfunnels[.]com shows it to not hold a malicious reputation. OSINT on the IP 141[.]193[.]71[.]8 shows it belonging to ISP ClickFunnels USA and does not show a malicious reputation. Further investigation on the URL xpressim[.]com shows it belonging to ISP Amazon Technologies Inc and has a high confidence abuse score associated with phishing and fraud. Further we checked for open sockets on host User-LT and have no observed any suspicious connections. At this stage we have the following recommendations.

Recommendations

  • Block the malicious URL listed in "Technical Details" below.
  • Block IP 141[.]193[.]71[.]8 if Click Funnels is not in business use.
  • As a precaution, if the user has clicked any links within the email, reset credentials for user user@domain[.]com.

Technical Details

  • Detection ID: XDR-mimecast-Phishing-for-Information:-Spearphishing-Link
  • Recipients: user@domain[.]com
  • Sender: no-reply@xpressim[.]com
  • Sender IP: 141[.]193[.]71[.]8
  • URLs: xpressim[.]com

Please inform MDR of your actions and findings after reviewing our recommendations. Don't hesitate to contact us with any further questions or concerns.