Silence.
No one from payroll logs in at 2:15 AM.
"Talk to me," the manager said, voice gravelly. effective threat investigation for soc analysts read online
He dove deeper. Parent process of the SMTP connection: not svchost.exe, not a mail client. It was winword.exe. A Word document. Silence
He grabbed his headset. Called the incident response hotline. No answer. Voicemail. He typed a terse message in the #security-incidents Slack channel: "Active hands-on-keyboard intrusion. Source: internal Phish. Lateral movement to DC. Isolate VLAN 12 and 14. Now." He dove deeper
The detonation was clinical. The document opened. No macros. No VBA scripts. Just a single, embedded OLE object—a link to a SharePoint site that didn't exist anymore. But the link contained a string of Base64. Marcus decoded it. Not a payload. A command.
The timeline assembled itself like a nightmare jigsaw: JSmith's credentials phished three days ago. Attacker logged in at 2 AM when logs were quieter. Uploaded the Word doc to HR share. The doc’s OLE object didn't execute a payload—it executed a discovery script to map internal shares. Then, the attacker used that map to drop the real payload on finance workstations via a scheduled task. They were staging the exfiltration of payroll data. Quiet. Patient. Methodical.