An email with the subject line "Account has been temporarily suspended!" was sent from the address "Prime's Report, kzgxr6fvei99qvheq8kcee6cuibjy5b3@kfndhhejbz.internetartalliance.com." The email was sent on Thursday, October 20, 2022 at 15:32:11 +0100. The email contained an attachment with the filename "Receiptupdate8761524.pdf."

To verify if any employees have received the email, one can search the email gateway for the subject line or the sending address. To see if any employees have downloaded the attachment, one can check the endpoint detection and response (EDR) logs.

By decoding the Base64 from the email file, the URL contained in the PDF can be revealed, which was "**https://docs.google.com/drawings/d/1Yjoy0g6WvJ0NF2BFH3ythG186xNpIRhNn8PLaw3bUXY/preview**." The attached file was found to have a SHA256 hash of "71B6E937013A6A961F3BA8A4FE942DC34A58B9DDEBC79C628E1C0AD572B3755B" and was found to imitate the company Amazon.

To determine if any users have clicked the link within the file, one can search for network connections in the EDR or security information and event management (SIEM) logs. Upon opening the URL destination associated with the button, the full URL of the call-to-action button was found to be "**https://www.google.com/url?q=http://gaykauaiwedding.com/&sa=D&source=editors&ust=1666280016126192&us**." The domain name of the site was determined to be "gaykauaiwedding.com."

The phishing technique used in this incident was found to be sub-techniques T1566.001 and T1566.002 in the MITRE ATT&CK framework.