Email Header Analysis
phishing campaigns
- email security controllers
- spf, dkim, dmarc
- safe links, safe URL
- Cloudflare area 1
- knowbe4
- MS zap
Metrics
- collecting the metrics and evidences (emails), which emails are bypassing us ?
- collect TTP's
- classification based on TTP's
- enforce security controls to block them (rinse and repeat this process)
- Metric from knowbe4 campaign
- have complete list of users whom they running the campaign
- list of failed users
Phishing email analysis:
- receive phishing inbox
- collect attachments and headers
- any. Run
- browsersling
- use explorer to find how many received
- run soft delete
- To Do: Phishing email analysis/incident response template (word)
- Incident name
- Incident time/date
- Analyst name
- email sender
- email receiver
- Header analysis Findings
- Artifacts analysis (attachments, URLs)
- spf, dkim, dmarc of sender email
- Notes
- artifacts to collect (email, attachments) ; zip with password protected and share on SharePoint
Additional tasks:
- send it to knowbe4 ->
- sent to knowbe4 (sent to kb4 email)/report
- verdict (spam/malware/unknown)
- question: can we soft delete from knowbe4
- Knowbe4 automatic response is good
- Area1 ->
- question: can we soft delete from knowbe4
- how to report to area 1? do we need to open ticket ?
- responses for VP/AVP
- still working on it
Mail User Agent
Outlook
Mail Transfer Agent
Microsoft Exchange
Protocols
POP3
IMAP
Implementing Email Security controls to reduce impersonated phishing email
SPF
DKIM
DMARC
warning signs of a phishing email include
Look like email addresses
Look like domain names
Misleading Links
Suspicious attachments
Deploy Email Filtering
Scan for malicious attachments
Implement DLP Solution
https://dnstwist.it/ helps to find look like domains
Start by sending a cease and desist letter to the site admin or domain registrant as soon as you discover the fake website. A domain registrant search service like ICANN should be able to pull up this information on a fake website for you.
Last updated