Phishing Detected
Detects phishing malware in AhnLab EPP V3 malware alert logs.
Query
The AhnLab V3 antivirus engine detects phishing malware with signatures such as
Phishing/PDF.Qshing.XG103, Phishing/HTML.FakeLogin.SC257918, X97M/Laroux, etc.
Therefore, alerts are extracted when the signature value starts with Phishing/ or X97M/.
Message
- AhnLab EPP V3 Phishing Detected: Host $host_ip, Malware $signature
Field Order
- _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5
Threat Analysis
- Phishing malware entices users to open documents (PDF, HTML, Office macros, etc.) to steal credentials, execute malicious scripts, or download additional malware.
Phishing/andX97M/signatures represent initial access attempts involving email-based spear-phishing, fake login HTML pages, and macro-based malicious documents that depend on user interaction.- The presence of such files indicates that the user may have already opened a malicious document—or is likely to do so—requiring immediate verification and user protection.
False Positives
- Detections may occur when the operations or security team tests internal training materials or phishing simulation documents.
- A small number of legitimate Office documents containing macros may be falsely detected as
X97M/.
Response Actions
- Verify the source of the detected file (email sender, download path, etc.) and determine whether the user actually opened the file.
- If the malicious document was executed, analyze the endpoint’s process tree, download history, and script execution traces to identify further compromise.
- Check whether the same phishing email has spread across the organization and apply blocking or user warning measures accordingly.
- Strengthen protections against document-based malware by enforcing macro blocking policies and automatic quarantine of suspicious documents.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- Name: Spearphishing Attachment
- ID: T1566.001
- Reference URL: https://attack.mitre.org/techniques/T1566/001/