Incident report · auto-generated
INC-2026-0418 — Finance Phishing → DC RDP
Drafted by copilot · reviewed by Maya Reyes · 27 Jun 2026 09:14 UTC
Executive summary
On 27 Jun 2026 at 06:30 UTC, a finance user clicked a CFO-impersonation phishing link. Within 1h 44m the adversary established a Cobalt Strike beacon, pivoted to a service account, and attempted lateral movement to a domain controller. The intrusion was contained at 08:18 UTC. No data exfiltration occurred.
Key metrics
Time to detect
4m
Time to triage
9m
Time to contain
1h 48m
Hosts affected
2
Kill-chain narrative
- 06:30 — Phishing link delivered to m.kowalski@corp.io.
- 06:48 — Link clicked; redirected to invoice-portal-corp[.]co.
- 07:20 — Encoded PowerShell stager executed under winword.exe.
- 07:41 — Cobalt Strike beacon to Tor exit 185.220.101.42.
- 07:58 — svc_backup credential reuse; RDP to DC-EU-01.
- 08:14 — Copilot raised critical verdict; analyst approved containment.
- 08:18 — Host isolated; account disabled; IP blocked at perimeter.
IOCs
domain invoice-portal-corp[.]co ip 185.220.101.42 (Tor exit, AS208294) ip 104.28.211.18 (resi proxy) sha256 a3f9...c21e (CS beacon) user svc_backup (suspended)
Recommendations
- Restrict child processes of Office apps via ASR rule (mapped to T1059).
- Tighten conditional access on tier-0 service accounts: deny interactive RDP.
- Add a Sigma rule for first-time RDP to a domain controller (template available in Hunt).
- User-awareness refresher for finance team focusing on CFO-impersonation patterns.