-
Featured services
Think beyond the robots
The successful integration of AI and IoT in manufacturing will depend on effective change management, upskilling and rethinking business models.
Read the blog -
Services
Leverage our capabilities to accelerate your business transformation.
-
Services
Network Services
-
Services
Cloud
-
Services
Consulting
-
-
Services
Data and Artificial Intelligence
- AI and Intelligent Solutions
- Data/AI Strategy and Program
- Data Engineering and Platforms
- Data Governance and Management
- Data Visualization and Business Decision
- GenAI Consulting
- GenAI Platforms
- GenAI Industry Services
- GenAI Infrastructure Services
- GenAI Value Transformation
- View Data and Artificial Intelligence
-
Services
Technology Solutions
-
Services
Global Data Centers
-
Services
CX and Digital Products
-
Services
Application Services
-
Services
Sustainability Services
-
Services
Digital Workplace
-
Services
Business Process Services
-
Services
Generative AI
-
Services
Cybersecurity
-
Services
Enterprise Application Platforms
Master your GenAI destiny
We’ll help you navigate the complexities and opportunities of GenAI.
Explore GenAI -
-
-
Insights
Recent Insights
-
The Future of Networking in 2025 and Beyond
-
Using the cloud to cut costs needs the right approach
When organizations focus on transformation, a move to the cloud can deliver cost savings – but they often need expert advice to help them along their journey
-
Make zero trust security work for your organization
Make zero trust security work for your organization across hybrid work environments.
-
-
Master your GenAI destiny
We’ll help you navigate the complexities and opportunities of GenAI.
Explore GenAI -
-
Master your GenAI destiny
We’ll help you navigate the complexities and opportunities of GenAI.
Explore GenAI -
Discover how we accelerate your business transformation
-
About us
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
Everest Group PEAK Matrix® Assessment
NTT DATA is a Leader and Star Performer in the Everest Group Sustainability Enablement Technology Services PEAK Matrix® Assessment 2024.
Get the Everest report -
- Careers
When the phishes slip through the net
11 June 2020

Topics in this article
Phishing attacks are on the rise and no one’s immune, not even an incident response team member.
Yes, you’ve got it. I was on a client call discussing methods for the automation of reporting phishing emails when, low and behold, I received a phishing email in my mailbox (you can’t make this stuff up). As if that wasn't enough, just a few hours later, I was hit with a second phishing email. I followed our security protocol and reported the emails before swiftly deleting all traces from my mailbox. However, I may have also retained copies (don’t try this at home kids) to do some digging and see what information I could gather from a quick triage of the raw EML files.
Phishing attacks are on the rise, and no one’s immune
The first email in question was very suspicious from the start. First of all, I’ve had no dealings from South Africa in terms of purchasing or invoicing (other than security incident engagements) and, secondly, the layout of the emails raised flags, as did the recipient email address. The good news is, I didn’t click the link. However, I may have hovered over it to see what the URL link was.
Let’s take another look at the email content, in ASCII, to see the actual text. As you can see, we have a delivery web URL and following a quick simple check via VirusTotal, it appears to be flagged as malicious. By exploring the additional details, you’ll uncover the serving IP address for the domain, which is linked to other malicious infrastructure. So, what now?
Let’s review the email header and source IP. Received: from za-smtp-delivery-200.mimecast.co.za (HELO za-smtp-delivery-200.mimecast.co.za) (41[dot]74[dot]201[dot]200). This header was viewed to extract the source IPv4 address for the email, however it resolves back to Mimecast, South Africa. What I should probably mention at this point is this email was originally sent to an old email address of mine (which I no longer use) and a mailbox forwarding rule sent it onto my new email address.
Digging deeper it was possible to uncover another IPv4 address from the true source. Received: from mail6.bemta25.messagelabs.com (195[dot]245[dot]230[dot]46). Now we’re getting somewhere. We have some detections, courtesy of open-source research. Additional IP addresses extracted from the email header depict additional links to a variety of malicious malspam campaigns and subsequent payloads containing malicious Trojans. At this point, I created a sandbox environment to carry out some dynamic analysis to understand the behaviour. Low and behold, once the web URL link is clicked, IE is launched and attempts to communicate to several command and control (C2) servers.
The additional IP addresses for the C2 servers were triaged and, again, the servers were found to host a wide variety of malicious payloads, waiting to be deposited onto the system. One of the C2 servers was found to be: Domain: web[dot]tresorit[dot]comIPv4 address: 40[dot]112[dot]93[dot]201.
The primary malware family was found to be Emotet, which is a well-known banking Trojan designed to steal sensitive credentials
You can see how easy it is to uncover loads of valuable information - just by carrying out a small amount of triage and open-source research. This provided me with indicators of compromise (IOC) including, but not limited, to IP addresses of C2 servers, hash values for malware and a range of other IOCs. The primary malware family was found to be Emotet, which is a well-known banking Trojan designed to steal sensitive credentials. Emotet can be difficult to contain, due to its polymorphic nature allowing it to avoid detection. In more recent samples, Emotet has evolved to have more stealth capabilities. If Emotet is not bad enough on its own, this could also result in subsequent TrickBot infections (another banking Trojan widely linked to deploying Ryuk ransomware), which maintains close ties with Emotet.
As mentioned, having just recovered from this ordeal, a second email came through. This time from a Protonmail address. Protonmail is a secure end-to-end encrypted email system and, while designed to optimize users’ privacy, it’s often used by threat actors to communicate with their victims. This email was, again, very suspicious from the start. First of all, the email titled ‘payment’ contained a single web URL link, to a PDF file hosted online on Adobe Document Cloud. The same process was repeated to triage the content and it was clear this was also a viable threat.
There's no slowing down for phishing, as discussed in our latest Global Threat Intelligence Report, and its vital employees stay alert when jumping around their inbox, to ensure they don’t trigger the next security incident.