Cybersecurity isn’t just about blocking threats – it’s about investigating them properly.
This week we were asked to investigate what initially appeared to be a sophisticated phishing campaign.
At first glance, the emails certainly raised concerns:
- Payment-related subject lines
- Attachments
- High Microsoft spam confidence scores (SCL 9)
- Multiple recipients seemingly receiving the same messages
Rather than jumping to conclusions, we carried out a full forensic review.
We analysed the complete SMTP headers.
Verified SPF, DKIM and DMARC authentication.
Examined the email routing through Microsoft 365.
Extracted and inspected the message attachments.
Investigated why multiple mailboxes appeared to receive the emails.
Considered whether the duplication originated from the sender or internally within Microsoft 365.
The result?
The emails were genuine transactional messages from a legitimate payment provider. The investigation then shifted from “Is this phishing?” to “Why are these genuine emails being delivered the way they are?”
That’s the difference between reacting to an alert and performing a proper investigation.
Too often, suspicious emails are either deleted without understanding them, or worse, trusted without verification. The real value comes from understanding exactly what happened, why it happened, and whether any security risk actually exists.
At Cloud9 Computing, we don’t just fix problems we investigate them thoroughly. Sometimes the answer is “Yes, this is malicious.” Other times, as in this case, the answer is “No, but let’s understand exactly why it behaved this way.”
That attention to detail gives our clients confidence that decisions are based on evidence, not assumptions.
Cybersecurity is as much about investigation as it is about prevention.
#CyberSecurity #Microsoft365 #EmailSecurity #Phishing #DigitalForensics #ITSupport #Cloud9Computing #CyberResilience


