Email Header Analysis

phishing campaigns

- email security controllers

- spf, dkim, dmarc

- safe links, safe URL

- Cloudflare area 1

- knowbe4

- MS zap

Metrics

- collecting the metrics and evidences (emails), which emails are bypassing us ?

- collect TTP's

- classification based on TTP's

- enforce security controls to block them (rinse and repeat this process)

- Metric from knowbe4 campaign

- have complete list of users whom they running the campaign

- list of failed users

Phishing email analysis:

- receive phishing inbox

- collect attachments and headers

- any. Run

- browsersling

- use explorer to find how many received

- run soft delete

- To Do: Phishing email analysis/incident response template (word)

- Incident name

- Incident time/date

- Analyst name

- email sender

- email receiver

- Header analysis Findings

- Artifacts analysis (attachments, URLs)

- spf, dkim, dmarc of sender email

- Notes

- artifacts to collect (email, attachments) ; zip with password protected and share on SharePoint

Additional tasks:

- send it to knowbe4 ->

- sent to knowbe4 (sent to kb4 email)/report

- verdict (spam/malware/unknown)

- question: can we soft delete from knowbe4

- Knowbe4 automatic response is good

- Area1 ->

- question: can we soft delete from knowbe4

- how to report to area 1? do we need to open ticket ?

- responses for VP/AVP

- still working on it

  • Mail User Agent

    • Outlook

  • Mail Transfer Agent

    • Microsoft Exchange

Protocols

  • POP3

  • IMAP

  • Implementing Email Security controls to reduce impersonated phishing email

    • SPF

    • DKIM

    • DMARC

warning signs of a phishing email include

Look like email addresses

Look like domain names

Misleading Links

Suspicious attachments

Deploy Email Filtering

Scan for malicious attachments

Implement DLP Solution

https://dnstwist.it/ helps to find look like domains

Start by sending a cease and desist letter to the site admin or domain registrant as soon as you discover the fake website. A domain registrant search service like ICANN should be able to pull up this information on a fake website for you.

PreviousKQLNextTH

Last updated

Was this helpful?