Detection, technical decomposition, and governance response for a credential-harvesting phishing attempt targeting a mid-size organisation's finance department. Findings mapped to ISO 27001, NIST CSF, and GDPR Article 32.
A simulated phishing email targeting the finance department of a mid-size organisation was intercepted and analysed. The message impersonated the organisation's internal IT helpdesk and attempted to harvest Microsoft 365 credentials via a spoofed login page. Technical analysis identified four distinct indicators of compromise. The incident exposed three governance control gaps: absent SPF/DMARC enforcement, no mandatory phishing simulation programme, and an incomplete Data Breach Response procedure. Risk is rated High. Five prioritised recommendations are provided with framework mapping.
This write-up analyses a fictional but technically realistic phishing scenario constructed for portfolio purposes using open-source intelligence methods and publicly documented attack patterns. All domain names, IP addresses, and organisational details are fabricated. The analysis methodology and GRC framework mappings reflect real-world practice.
Scenario: A member of the finance department at Nexara Solutions (fictional) received an email appearing to originate from the internal IT helpdesk, requesting urgent re-authentication due to a "suspicious login attempt." The link directed to a credential-harvesting page mimicking the organisation's Microsoft 365 login portal.
The intercepted message was examined in full including raw headers. Key fields are annotated below. Suspicious elements are flagged inline.
Dear Marie,
Our security systems have detected a suspicious sign-in attempt to your Nexara account from an unrecognised device (IP: 185.220.101.47, Romania).
To prevent your account from being locked, you must verify your identity within 2 hours. Failure to do so will result in temporary suspension of your Microsoft 365 access.
→ Click here to verify: https://nexara-m365-verify.pages.dev/login
IT Security Team
Nexara Solutions
Email headers were parsed programmatically using Python to extract authentication results, routing hops, and domain registration data. The following script reproduces the key extraction steps.
# Parse raw email headers and extract authentication signals import email import whois import dns.resolver from datetime import datetime with open('sample_phish.eml', 'r') as f: msg = email.message_from_file(f) sender_domain = 'nexara-support.com' legit_domain = 'nexara.com' # --- SPF check --- try: spf_record = dns.resolver.resolve(sender_domain, 'TXT') spf_found = any('v=spf1' in str(r) for r in spf_record) except: spf_found = False # --- DMARC check --- try: dmarc = dns.resolver.resolve(f'_dmarc.{sender_domain}', 'TXT') dmarc_found = True except: dmarc_found = False # --- WHOIS domain age --- w = whois.whois(sender_domain) creation_date = w.creation_date[0] if isinstance(w.creation_date, list) \ else w.creation_date domain_age_days = (datetime.now() - creation_date).days # --- Output --- print(f"SPF present : {spf_found}") # → False print(f"DMARC present : {dmarc_found}") # → False print(f"Domain age : {domain_age_days} days") # → 8 days ## FLAG: Newly registered domain (8 days). No SPF. No DMARC. ## Consistent with purpose-built phishing infrastructure.
| Indicator of Compromise | Value | Severity | Notes |
|---|---|---|---|
| Lookalike sender domain | nexara-support.com | HIGH | Registered 8 days prior. No affiliation to nexara.com. |
| Absent SPF / DMARC | NEUTRAL / MISSING | HIGH | Sender domain carries no email authentication policy. |
| Credential-harvest URL | nexara-m365-verify.pages.dev | HIGH | Cloudflare Pages hosting. Mimics M365 login UI. Domain ≠ Microsoft. |
| Urgency & deadline framing | "within 2 hours" | MEDIUM | Social engineering vector. Designed to suppress critical evaluation. |
| Non-corporate mailer | PHPMailer 6.7.1 | LOW | Inconsistent with enterprise mail infrastructure. Corroborating signal only. |
Risk is assessed using a standard likelihood × impact matrix. The finance department is a high-value target: successful credential theft could enable fraudulent payment authorisation, access to ERP systems, or internal Business Email Compromise (BEC) escalation.
LIKELIHOOD → / IMPACT ↓
Each identified control gap is mapped to the relevant clause or control in ISO 27001:2022, NIST Cybersecurity Framework (CSF 2.0), and GDPR where applicable. This mapping is the core deliverable from a governance perspective — it connects a technical observation to a policy obligation.
Recommendations are prioritised by risk reduction impact and implementation effort. Each is assigned a timeframe and framework reference. This section is written for a mixed audience: IT teams require the technical detail; business and legal stakeholders require the risk and regulatory framing.
p=quarantine
policy. Monitor aggregate reports for 30 days, then escalate to
p=reject. This single control eliminates the primary technical
enabler of this attack class at no material cost.
The technical indicators in this email were not sophisticated. The lookalike domain, absent email authentication, and PHPMailer fingerprint would be caught by any email security gateway configured to check them — and by any user trained to verify sender domains before clicking. The attack succeeded (in the simulation) not because it was technically advanced, but because the governance layer failed: no DMARC policy, no simulation training, and no clear playbook for response.
This is the core GRC observation: most preventable incidents are not prevented by better technology alone, but by better governance of the technology that already exists. The organisation already had an email gateway. It already had MFA. The controls existed — they were simply not configured, enforced, or supported by adequate policy and training.
A GRC practitioner's value in this scenario is not to diagnose the email headers — that is a SOC function. It is to identify that three policy gaps existed before the attack landed, connect them to the specific regulatory obligations they create, and produce actionable guidance that closes them before the next attempt.
That is what this write-up demonstrates.