13.10 Cross-Wave Correlation

2–3 hours · Module 13

Cross-Wave Correlation

With all five waves documented, connect them into a single campaign view. This analysis feeds into the incident report, threat intelligence sharing, and detection engineering.

Campaign infrastructure analysis

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
EmailEvents
| where TimeGenerated between (datetime(2026-02-27T00:00:00Z) .. datetime(2026-03-02T00:00:00Z))
| where SenderMailFromDomain has_any ("northgate-voicemail", "northgate-docs",
    "northgateeng-support", "northgate-benefits", "northgate-projects")
| summarize
    EmailCount = count(),
    Recipients = dcount(RecipientEmailAddress),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SenderMailFromDomain
| sort by FirstSeen asc

Campaign summary:

Wave	Domain	Registered	Hosting	Email count	Recipients
1	northgate-voicemail[.]com	2026-02-25	VPS (US)	23	23
2	northgate-docs[.]com	2026-02-26	VPS (US)	41	41
3	northgateeng-support[.]com	2026-02-27	VPS (NL)	8	8
4	northgate-benefits[.]com	2026-02-28	VPS (NL)	15	15
5	northgate-projects[.]com	2026-02-28	VPS (DE)	31	31
Total				118	86 unique

Patterns identified:

All domains follow the pattern northgate-[word][.]com — impersonating the target organisation name
Domains registered 1-2 days before each wave — disposable infrastructure
Hosting rotated across US, NL, DE VPS providers — preventing IP-based blocking
URL path pattern consistent across all waves: /auth/[a-f0-9]{32}/login

The following IOCs should be shared with your sector ISAC, managed SOC partner, and any peer organisations:

Domains: northgate-voicemail[.]com, northgate-docs[.]com, northgateeng-support[.]com, northgate-benefits[.]com, northgate-projects[.]com

URL pattern: /auth/[a-f0-9]{32}/login (phishing kit signature)

Attacker IP (token replay): 203.0.113.45

Sending IPs: (extracted from email headers per wave)

Kit indicators: Cloudflare turnstile CAPTCHA on proxy landing page. Tycoon 2FA-style login page structure.

Share patterns, not just indicators

Individual domains and IPs are perishable — the attacker changes them for the next target. The URL path pattern and kit behaviour are durable — they identify the phishing kit regardless of infrastructure changes. When sharing with your ISAC or peer organisations, emphasise the pattern over the specific IOCs.

Check your understanding

1. Why is the URL path pattern a more valuable IOC than the phishing domains?

Domains are disposable and change per wave. The URL path pattern is generated by the phishing kit and remains consistent across all domains and all targets — it identifies the kit itself, not a single deployment.

Domains are harder to find

URL paths are always the same

IOC durability is inversely related to how easily the attacker can change it. Domains are trivial to change (register a new one for each wave). URL path structures are embedded in the kit's code and require development effort to modify. The kit pattern catches the campaign across all its infrastructure variants.

← 13.11 Writing the CISO Report 13.9 Waves 2-5: Campaign Tracking →

13.10 Cross-Wave Correlation

Cross-Wave Correlation

Campaign infrastructure analysis

IOC extraction for threat intelligence sharing

Check your understanding