#NSBCS.108 - From Evidence to Insight: The Role of IOCs in Cyber Investigations
From Evidence to Insight : The Role of IOCs in Cyber Investigations
Indicators of Compromise (IOCs) play a critical role in modern cyber security investigations. They are the digital artefacts left behind when an attacker interacts with systems, identities, or networks. These artefacts can include unusual login activity, suspicious IP addresses, malicious domains, unexpected mailbox access, or abnormal system behaviour. IOCs are extremely important in helping investigators determine whether malicious activity has occurred and to understand the nature and extent of a compromise.
During an incident response, IOCs form the backbone of how incidents are analysed and validated. Analysts will utilise IOCs to construct mapping and timelines, aiding to identify initial access points, and determine how activity progressed across an environment. This is particularly important in cloud and identity-driven environments, where attackers often leverage legitimate credentials and native tooling rather than deploying obvious malware. In these cases, the correlation of identity, email, and activity-based indicators can help to reveal the malicious actions taken by threat actors.
As investigations progress, IOCs also support a profiling-style approach to understanding attacker behaviour. By analysing repeated patterns across authentication logs, mailbox activity, application usage, and persistence mechanisms, investigators can identify how an attacker typically operates within an environment. This helps distinguish between one-off anomalies and coordinated malicious activity, and it provides insight into the attacker’s objectives, preferred techniques, and level of sophistication. Over time, this behavioural understanding becomes just as valuable as any single technical indicator.
Beyond responding to incidents, IOCs play a crucial role in improving future investigations. Patterns observed during one incident may frequently reappear in others, even when the tooling or infrastructure changes. Recognising common access paths, recurring behaviours, and preferred techniques allows security teams to detect similar activity earlier and respond with greater confidence. This shifts investigations from being purely reactive to becoming informed by historical insight and experience.
What does this mean for your organisation?
For organisations, the value of IOCs extends far beyond technical analysis. Effective use of IOCs supports better decision-making during incidents, clearer communication with stakeholders, and stronger confidence in containment and remediation efforts. Organisations that systematically capture and analyse IOCs from incidents are better positioned to validate whether an environment has been fully remediated or whether residual risk remains.
More importantly, IOCs provide an opportunity to turn incidents into learning exercises rather than isolated events. By feeding investigative findings back into monitoring strategies, alerting logic, and response playbooks, organisations can continuously improve their ability to detect and respond to threats. This approach helps reduce dwell time, limit impact, and improve overall security maturity over time.
At NSB Cyber, we focus on delivering actionable intelligence derived directly from real-world incidents and investigations. Rather than treating IOCs as static lists, we analyse them in context, identify patterns and behaviours, and translate those insights into practical, timely reporting. By populating lessons learned back into detection, response, and awareness activities, we help organisations strengthen their investigative capability and prepare for future threats in taking #NoStepsBackwards.
What we read this week
Microsoft Teams External Domain Anomalies Allow Defenders to Detect Attackers at Earliest - Microsoft is introducing a new security capability for Microsoft Teams called the External Domains Anomalies Report, aimed at helping administrators detect suspicious external interactions before they lead to data breaches. Scheduled for global rollout in February 2026, the feature addresses growing misuse of Teams by threat actors for social engineering and initial access. It establishes normal communication baselines and flags anomalies such as sudden increases in external messages, first-time contact with unfamiliar domains, and abnormal engagement patterns. When triggered, the report provides actionable alerts that allow security teams to quickly investigate and respond to potentially risky conversations. The release follows increased abuse of Teams by groups such as Black Basta, which has used chat messages to impersonate IT support and trick users into installing remote access tools like AnyDesk.
Fake LastPass Emails Pose as Password Vault Backup Alerts - LastPass has warned of a phishing campaign posing as a fake maintenance notice that pressures users to back up their vaults within 24 hours. The emails include links to a fraudulent website that claims to create an encrypted backup, but is designed to hijack accounts or steal users’ master passwords. LastPass said the messages rely on urgency and authoritative language, using subject lines focused on infrastructure updates and vault security to manipulate recipients. The company reiterated that it will never ask for master passwords and encouraged users to report suspicious emails to its abuse team.
Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading - Cybersecurity researchers have identified a new phishing campaign that abuses private messages on LinkedIn to distribute malware, likely aimed at deploying a remote access trojan. Attackers are building trust with targeted individuals before tricking them into downloading a malicious WinRAR self-extracting archive. When executed, the archive launches a legitimate PDF reader that sideloads a malicious DLL, drops a Python interpreter, and establishes persistence via a registry run key. The Python component then runs Base64-encoded shellcode directly in memory, enabling stealthy communication with an external server for ongoing access and data exfiltration. Researchers warned that the use of social media messaging and legitimate open-source tools highlights how phishing is expanding beyond email, making these campaigns harder to detect and easier to scale.
Fortinet Admins Report Patched FortiGate Firewalls Getting Hacked - Fortinet customers are reporting active exploitation of a patch bypass affecting the previously fixed FortiGate authentication flaw CVE-2025-59718, allowing attackers to compromise firewalls that were believed to be secured. Administrators have indicated that FortiOS 7.4.9 and even 7.4.10 did not fully remediate the issue, with Fortinet reportedly planning additional releases to properly address the vulnerability. Until a complete fix is available, organisations are advised to disable FortiCloud administrative login, though the feature is not enabled by default on devices that are not FortiCare-registered.
Referenceshttps://cybersecuritynews.com/microsoft-teams-external-domain-anomalies/https://www.bleepingcomputer.com/news/security/fake-lastpass-emails-pose-as-password-vault-backup-alerts/https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.htmlhttps://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/