Stories from the SOC: The curious case of termination notices

This SOC report describes a multi-stage phishing campaign at a university: attackers compromised student accounts (Student 0 and Student 1), used them to send phishing emails to about 4,800 recipients containing credential-harvesting forms, and established inbox rules to hide activity; SOC analysts pivoted on a suspicious IP to uncover the broader campaign, disabled affected accounts, reset credentials, and blocked malicious domains to contain the incident.