Best Work

Selected analysis and detection output — phishing ops, malware delivery, and the queries defenders can use.

Currently:: Security analyst @ MLS
Focus:: Phishing investigations, malware delivery analysis, detection engineering
Output:: Analysis writeups, KQL detection library, investigation playbooks

Analysis

Malware delivery

LummaStealer HTA Loader

•Traced a LummaStealer delivery chain from HTA dropper through staged execution
•Mapped loader behavior, persistence mechanisms, and C2 communication patterns
•Focused on detection opportunities at each stage of the delivery chain

View analysis →

Phishing investigation

Agent Tesla Staged Malware

•Analyzed a fresh Agent Tesla sample using static and behavioral techniques
•Mapped staging and execution flow and identified exfil patterns
•Focused on what can be detected at runtime, not just reversing for completeness

Environment: isolated lab, offline execution, behavioral tooling

View analysis →

Phishing ops

O365 Termination Lure via Google Form

•Investigated a credential-harvesting campaign using fake O365 termination notices
•Traced the delivery path through a Google Form redirect to a phishing page
•Documented attacker infrastructure and the authentication failures that allowed it

View analysis →

Detection Library

threat-detections

Reusable KQL queries and scoping logic built directly from real investigations. Designed for fast pivoting during phishing triage and incident response — not just reference material, but queries I run during active casework.

•Phishing delivery and sender infrastructure scoping
•Detection logic tied to specific attacker behaviors observed during investigation
•KQL written for Microsoft Sentinel / Defender environments

View threat-detections on GitHub →

ToolOpen App →

PRVIEW

Browser-based phishing email analysis — import .eml or raw source, parse headers and body, extract URLs, export a clean summary.

More casework: Analysis →

Say hi:me⁠@⁠heyosj.com·LinkedIn·Substack