Email Address

- How electronic mail works

- Protocol: SMTP, POP3, email servers, relays and email clients

 Email Address
- Address has two parts: mailbox and domain

Email Protocols

 SMTP (Simple Mail Transfer Protocol)

- Works on TCP port 25
- Once an email is created it is sent to the organization’s SMPT server,
which transports the email to the next server, before it eventually
reaches the SMTP server of the recipient organization.
- TCP port 587 is used with TLS encryption for secure communication.

 Post Office Protocol 3 (POP3)

- Used by e-mail clients to retrieve e-mail from a mail server, with
version 3.
- POP works by contacting your email server and downloading all emails
from it. Once they are downloaded onto our system, they are deleted
from the email server. This mean that after the email is downloaded, it
 can only be accessed by using the computer that downloaded the
emails, and trying to access your emails from a different device will not
work.

 Internet Mail Access Protocol (IMAP)

- Allows you to access your email wherever you are from any device.
- When you read an email message using IMAP you’re reading it from
the email server.
- As a result, you can check your email from different devices such as
laptop, desktop, and mobile phone.
- IMAP still allows emails to be downloaded, but you must manually click
to save the email locally.

Anatomy of an Email

 Email Anatomy
- Email messages have two parts: header and a body

 Email Header
- A set of lines containing information about the message’s
transportation, such as the sender’s address, the recipient’s address or
timestamps showing when the message was sent by intermediary
servers to the transport agents (MTAs), which act as a mail sorting
office.
- The header begins with the Form line and is changed each time it
passes through an intermediary server. Using headers, you can see the
exact path taken by email and how long it took each server to process.

 Header Fields
- The message itself is made up of the two elements: header fields and
body.
- In header fields, a set of lines describing the message’s settings, such
as the sender, the recipient, the date, etc.
- Email includes at least three pieces of information i.e. From, To and
Date.
- Plus other optional header fields
 1. Received: showing various information about the intermediary
servers and the data when the message was processed.
2. Reply- To: showing a reply address
3. Subject: showing message’s subject
4. Message-ID: showing a unique identification for the message
5. Message body: containing the message, separated from the header
by a line break
 Custom X-Headers
- It is important to note that header data is no guarantee of when the
message was sent or who sent it, as values can be edited without any
requirement for authorization, such as changing the From address to
make it look like the email has come from "contact@amazon.co.uk".
Additional personalized headers (called X-headers) can be set in order
to provide the appropriate information. X-headers are called such
because their name must begin with X-. For example, some anti-spam
software programs mark messages as unwanted using the following
header: X-Spam-Status: YES.

 Email Body
- It contains a message and is text-based, or it can include image, HTMl
or other link.
- CyberChef can be used to quickly decode Base64 into redable text.

 What is Phishng?
- Sending an email with malicious intent, to force recipients into
disclosing information, downloading malicious files, or otherwise
completing an action that they would not normally do, by exploiting a
human using one or more social-engineering techniques.

Types of Phishing Emails

 Recon emails: used to get a response from recipient. This does not
mean that the user has actually reply to the sender, as there are ways
that malicious actors can tell if an email has been successfully
delivered or even opened.
 Recon emails are used to check if the destination mailbox is in use so
that it can be targeted in future phishing attacks.
 Three types
- Recon spam emails that contain nothing except random letters in the
body text such as “asfhwofhewflwh”
- Emails that use social-engineering techniques to try and get the
recipient to respond.
- More complex emails use tracking
- pixels to see if the email has been viewed in an email client.

 Tactics Used
 Spam Recon Emails
- These emails do not use any tactics and are simply looking to see if an
email error code is sent back to the attacker, such as “undeliverable”.
This allows the attacker to determine whether the mailbox is in use (no
error email sent back means the mailbox is in use, and the email was
delivered).

 Social Engineering Recon Emails

 - These emails will use social engineering techniques, such as posing as
a person that the recipient may know or have regular communication
within order to get a response. Other tactics may include creating a
message with a sense of urgency.

 Tracking Pixels Explained

- Tracking Pixel is an HTML code snippet that is loaded when a user visits
a website or opens an email. It allows the attacker to see if the email
has been viewed by an email client.

-
- The malicious actor will add the tracing pixel using HTML code in the
email body. This code contains an external link to a pixel server. If the
email recipient opens the email, the client or webmail provider will load
the HTML code, sending a message back to the server.
- The following data can be acquired and analyzed using a tracking pixel
1. OS
2. Type of website or email used
3. Type of client used
4. Client’s screen resolution
5. Date and time the email was read
6. IP address

Credential Harvesting

- Targeting human weaknesses to attempt valid credentials

- Popular online services and retailers such as Amazon and DHL, email
will tell the recipient to click a URL and it looks like real.
-

 Malicious Attachment
 Microsoft Office Macros
- MS Office documents such as Word and Excel offer the ability to
include macros. These are a series of commands and instructions that
can be run automatically once enabled.
- However, in a recent version of Microsoft Office, macros are disabled
by default. This means malware authors need to convince users to
enable macros so their malware can execute. They do this by showing
fake warning when a malicious document is opened.
- The above screenshot shows an example of a malicious Microsoft Word
document. At the top we have the legitimate ribbon, where users can
click “Enable Content” to unlock the document, allowing macros to run
automatically. Everything below this ribbon is fake, and has been
crafted by the malicious actor, including the second ribbon titled
“SOMETHING WENT WRING”. The attack is trying to convince the
recipient that this document is an older version and that they need to
convert it to the latest version to run properly.
- Once run, these macros can connect to domains on the internet and
download malware directly to the system.
- Microsoft has published some good suggestions.
1. Make sures Macros are disabled in your Microsoft office applications.
2. Don’t open suspicious emails or suspicious attachments.
3. Delete any emails from unknown people or with suspicious content.
Spam emails are the main way macro malware spreads
4. Enterprises can prevent macro malware from running executable
content using ASR rules. (Attack surface reduction rule)

HOSTED MALWARE
- Delivery method of malware is by hosting it on websites, and
convincing users to click on a hyperlink, download a file, and then run
it. It is very similar to macro malware, but users need to manually visit
and download the malware themselves.

 Compromised Domains
- Legitimate sites can be compromised by attackers and then used to
host malware. Often the legitimate site is left completely intact so that
the site owner and visitors don’t realize their site has been hacked and
is being utilized for malicious purposes. A hyperlink to the malicious
URL hosting the malware is then distributed in phishing emails.
 -

SPAM Emails

Tactics and Techniques used by Malicious Actor

- There are a lot of techniques that can be used to make emails seem
legitimate, increase the chances of targets interacting with malicious
elements, bypass security features such as email scanning or make it
harder for security teams to take defensive measures and stop
malicious emails being delivered to employee mailboxes.
 Spear Phishing:
- It is when a malicious actor spends time before the phishing attack to
gather information about their specific target, to make the email more
effective. This type of attack requires planning and good use of OSINT
to gather information. The attacker will look for websites that the
target uses, any hobbies or interests they have, and even records of
family members, colleagues, or friends.
- Other phishing email techniques can be used, such as typo squatting
or sender spoofing, to make the email sender appear legitimate, and if
the attacker is trying to entice the target to visit a malicious website,
the typo squat domain works to mimic the real name of a legitimate
site, making it harder to spot at a glance that it’s fake.

 IMPERSONATION
- Act of pretending to be somebody else. This can be used by malicious
actors to trick their target into thinking they are someone they know,
making them more likely to open and interact with a phishing email. A
malicious actor could pose as a friend, a colleague, or even someone
higher up within the organization, such as manager, director, or even
the CEO.
- The below diagram shows an example phishing attack where a
malicious actor is posing as the CEO to convince an employee in the
Finance Department to send funds to an attacker-owned bank account.
 TYPO SQUATTING
- It is the act of impersonating a brand or domain name by misspelling
it, such as missing letters or including additional ones. Below are the
examples for security blue team domain, securityblue.team
1. Securrltyvblue.team
2. Secuirtybllue.team
3. Securtyblue.team

 Homoglyphs
- A homoglyph phishing attack is virtually impossible for users to spot.
This attack exploits the fact that many different characters look exactly
alike. These characters are called homoglyphs, and the problem is with
how the characters are encoded using Unicode.
 Sender Spoofing
- Sender spoofing is the process of making the sending address in an
email look the same as legitimate email to make the recipients believe
it is coming from a genuine sender. This is typically used with
credential harvesters where the attacker wants the recipient to believe
the email has actually come from the impersonated company, so they
be more likely to enter in valid credentials.

- The malicious actor sends an email with a “From:” address that

appears to be from a source the recipient trusts, such as a well-know n
brand, work colleague, or family member. There is no verification done
at this point, so SMTP emails can use any FROM address they want.
Want to send an email that looks like it comes from
contact@secuirtyblue.tem?

- (Example for From Address) Although the FROM address will look
completely legitimate, we can look at the sending server IP (X-
Originating-IP) and perform a WHOIS or IP lookup search to determine
whether this server belongs to the organization the email claims to be
from.

- (Example for FROM address with Reply-to) We can look at the Reply-to-
address and see where replies would be sent. We can then block this
address on the email gateway to prevent emails from going outbound
to this address.

 Malicious Attachments
- Malware can be distributed through email attachments, such as
Microsoft Office documents that are utilizing malicious macros to
download malware to the target system. We will typically see three
categories of attachments:
1. Non-malicious files that are used for social engineering (such as
invoices, letters of appeal, and images)
2. Non-malicious files that have malicious hyperlinks (such as PDFs
that contain a link to a malicious site)
 3. Malicious Files (such as malicious scripts, or more likely Microsoft
Office documents with malicious macros, such as word or Excel)

INVESTIGATING A PHISHING EMAIL

 ARTIFACTS TO COLLECT
- Artifacts are specific pieces of information we need to retrieve from
emails that allows us to conduct further searches, share intelligence
with other organizations, and take defensive measures.

 EMAIL ARTIFACTS
 Sending Email Address:
- This is where the email has come from or appeared to come from. We
already saw how malicious actors can alter what the sending address
looks like to make it appear legitimate.
- We need to record the email address that has apparently sent the
email.
- We can use this as a search term in email gateway security products to
identify any other emails that have come from, or been sent to that
address.

 Subject Line
- The subject line is a very useful artifact for both searching for other
associated emails by using it as a search term in out email gateway
security product, or for blocking incoming emails that are in the same
attack and using the same subject line.
 Recipient Email Addresses
- We need to identify which mailboxes have received this same phishing
email, so we can inform them not to interact with it. Usually, the
malicious actor will enter the recipients into the Blind Carbon Copy
(BCC) field, so that recipients can’t see who else the email was sent to.
- To identify recipients, we would typically check our email gateway, and
search for emails coming from the sending address and including the
subject line we have observed, which will give us a list of any other
mailboxes that received the same email.
 Sending Server IP and Reverse DNS
- We need to know the address of the server that has sent the email, as
this will help us to identify if the sending address has been spoofed.
- Once we have collected the IP we can perform a reverse DNS search on
it using online tools such as Reverse IP Lookup by MXToolbox, which
will provide us with a hostname that should give us some more
information about the server.

 Reply-To Address
- This is the email address that will receive any replies to the original
email. In some cases, this value will be different that the sending
address, as if an attacker has successfully spoofed
“support@amazon.com” any replies would go to that address, which
the attacker won’t have access to. Instead, they can insert an email
address of an attacker-controlled account, so now replies will go to
flamingo9151@outlook.com

 Date and Time

- It’s good practice to record the date and time an email was sent.
Searching for a period on either side of the observed time could allow
for other emails to be identified that are a part of the same attack or
campaign. This can also be used as a metric to see at what times the
organization receives the most malicious emails.

 FILE ARTIFACTS
 Attachment Name
- The attachment name is useful artifact when it comes to defensive
measures, as depending on the uniqueness of the name, it can
possibly be blocked using EDR, using the filename as an IOC.
- This should always include the file name and file extension.

 SHA256 Hash Value

- A hash, the unique string generated from a file, needs to be recorded
as it represents the file in its entirety, and can be used for reputation
checks using online tools such as Virus Total and Talos File Reputation.
- MD5 and SHA1 hashes should no longer be used, as they have known
hash collisions.
- SHA256 is the current security standard for file hashing.

 WEB ARTIFACTS
 Full URLs:
- Copied full URL either from the email client by right clicking the
hyperlink and selecting “Copy Link Destination”, or by copying it from a
text editor.

 Root Domain:
- Most of the time, if you have Full URLs, we don’t need this root domain
information
- But sometimes, it can help show if the site has been created for
malicious activity, or if it is a legitimate site that has been
compromised.

Manual Collection – Email Artifacts

 Email Artifacts
- To collect email and web artifacts, we will be using an email client and
text editor.
- To collect file-based artifacts, we will use PowerShell or Linux terminal.

 Email Artifact List

- The easiest email artifact to retrieve are
1. Sending Address
2. Subject Line
3. Recipients (Unless they’re in BCC)
4. Date + Time

 Email Client Extraction

- We can use email clients to retrieve common indicators very quickly
and easily.

1. Subject Line: Hello

2. Sending Address: bobtom112233@gmail.com
3. Date + Time = Monday 16th September 2019 at 17.33
4. Recipient(s)=contact@dicksonunited.co.uk

 Text Editor Extraction

- We need additional information that we need to collect such as the
Sending Server IP (which server has sent the email), and the Reply- To
address (where any replies to the email will be sent – this may not
always be the initial sender). This can easily be obtained by
downloading the email in either .eml or .msg file format and opening
the file with a text editor.
-

- When the email opens in the text editor it’ll produce a long document
that extremely long and complicated. So, we can use CTRL + F.
- The first thing we want to collect is the sending server IP also referred
to as the X-sender- IP.
- Now we have the IP, we need to convert the address into hostname.
We can do this by performing a reverse DNS lookup. We recommend
you use the free online service by Domain Tools
– https://whois.domaintools.com/.

-
- In the above screenshot, we can see that the host is mail-If1-
f42.google.com – a Gamil sending server. Sometimes the sending
address domain and sending IP might not match up. If the sender is
bob@gmail.com but the IP address belongs to Outlook, we know that
the sending address has been spoofed.
- Next, we need to retrieve the Reply-To address. I the below screenshot,
we
- can see.

 Manual Collection Web Artifacts

- The term “web artifact” is used to describe a hyperlink in an email that
will redirect the recipient to a domain, an IP address, or a specific URL.
These can be used to host fake login portals that steal any entered
credentials or pages that host malware which is downloaded when the
site is visited.
- We are looking to retrieve
1. The full URL
2. The root domain

 Email Client Extraction:

- Here, text is hyperlinked and if you hover it, text see the URL which is
not related to paypal.
- We can right-lick the url and copy link, but it’s risky.

 Text Editor Extractor

- Search for “http”
- Search for anchor HTML tags <a> which are used to perform
hyperlinking
- Search for the text from the email body that is hyperlink, we could
search for “you can cancel it”.

 Manual Collection – File Artifacts

- We need to collect file hashes of malicious attachments to perform
reputation checks and implement defensive measures.

 Hashes via PowerShell

- File hashes can be retrieved using PowerShell with the get-filehash
command. By default, this will generate a SHA256 hash.

- We can also retrieve MD5 and SHA1 hashes using the get-filehash
command eith the -Algorithm switch.
 - To make it easier, we can chain PowerShell commands using the ;
character and retrieve all three hash values at once.

 Hashes via Linux CLI

- File hashes can be easily retrieved using Linux command.
1. Sha256sum <file>
2. Sha1sum <file>
3. Md5sum <file>

AUTOMATED COLLECTION WITH PHISH TOOL

- Provides power to forensically analyze phishing emails, tag malicious

artifacts, and generate investigation reports.
 EXAMPLE ONE
- On the analysis console homepage, you’ll be presented with the view
as shown in the screenshot below. This is where we can drag-and-drop
a malicious email, or browse of file system and upload it.

- In this case, we’re going to click the Browse button and find the email
we want to submit for analysis. In this case, we’re going to upload this
amazon credential harvester.
- Once the analysis has been completed, you will see a screen that looks
similar to the following screenshot.
 -

- The artifacts we’re interested in are

1. Sending Address
2. Subject Line
3. Recipients
4. Date + Time
5. Sending Server IP
6. Reverse DNS
7. URLs (If applicable)
8. File Name (not applicable)
9. File Hash (not applicable)

In this Basic Header Section, we will be able to retrieve artifact 1,2,3 and 4.
- Below this, there is a section for Detailed Header that includes the X-
Originating-IP and the reverse DNS results, which gives us artifact 5
and 6.

- And Finally down at the bottom, we have a section for URLs, where we
can retrieve all hyperlinks that were included in the email.
-

 EXAMPLE TWO
- We’re going to submit an email that has a potentially malicious
attachment, so we can show you how to retrieve file-based artifacts
using PhishTool. Below is a screenshot of the phishing email we’re
going to analyze.
- After submitting the email to PhishTool, under the Basic Header section
there is a section titled Attachments. This provides us with the MD5
hash of the file and the file name. We can also click on the VirusTotal
link to automatically submit the hash for analysis and retrieve a
community reputation score.
PHISHING ANALYSIS

- We understand how to collect email, web, and file-based artifacts, this

section will teach you how to analyze them so we can determine if
suspicious emails are truly malicious and gather the information that
will be useful when it comes to taking defensive measures to protect
the business.

 Visualization Tools
- Will cover tools we can use to visualize a malicious URL without
actually having to visit the site, as it could be highly malicious.
- Tools: URL2PNG and URLScan

 URL2PNG
- Simply enter a URL, hit go, and it’ll provide you with a screenshot of
what the webpage looks like. The screenshot below shows me entering
a malicious URL for a real-world Outlook Web Access credential
harvester into the tool:
URLScan

 URLScan, amongst other information this tool gathers on a searches

URL, has the ability to provide a screenshot. In this example, you can
see a screenshot has been taken on the right-hand side, allowing us to
see what the destination web page looks like. In this case, it is an
Outlook Web App credential harvester.
 URL Reputation Tools
- VirusTotal and URLScan.io

 VirusTotal: Know yourself

 URLScan:
- URLScan is a service that can provide us with tons of information about
a URL.

 Threat Feeds:
- There are number of public threat feeds that can provide security
teams with intelligence regarding phishing attacks and malicious
artifacts that can be used to power blacklist for email security
products. Example of these feeds include URLhaus and PhisTank.
- PhisTank operates like URL haus and allows users to submit phishing
artifacts which are then verified by the wider community. In the
screenshot below you can see what looks like the URL haus database.

- URLhaus Database, a huge collection of malicious URLs reported by

research. In the screenshot below, you can see the date the URL was
added to the database, the malicious URL, the status showing whether
this resource is still available on the internet or not, and tags that show
at a glance what the malware is, and the final column shows which
user reported these URLs.

 Malware Sandboxing
- Sandboxing is the process of executing a piece of malware in a
contained environment, and closely monitoring exactly what the
software downs, allowing security teams to collect indicators of
compromise.

 Hybrid Analysis
- It is an online malware analysis platform that lets you upload malware
for instant cloud-based analysis, providing you with a detailed report
about the observed activity.
First, navigate to the Hybrid Analysis website. Here you can drag-and-
drop, or browse for the file you want to upload.
-

- Next, you can choose the operating system that you want to execute
the malware on – this is perfect for malware that only targets specific
operating systems. For this activity, we’ll just use the default Windows
Virtual Machine.
-

- Once you’ve click “Generate Public Report” you will be directed to the
report page once the analysis has been completed.
 -

TAKING A DEFENSIVE ACTION

 PREVENTATIVE: Marking External Emails

- The majority of phishing emails will come from external addresses.
- In platforms such as Microsoft exchange or Office 365, there is the
ability to alter the subject line or body text of an email address that is
coming into the organization to alert the recipient that this email isn’t
an internal communication and could potentially be malicious.
- This simple warning can make employees think twice about interacting
with an external email, such as opening an attachment or clicking on a
hyperlink.
- A good idea is to apply a rule where any email coming form an external
sender into the organization has the subject line appended with a very
short message, such as “[External]” or “[EXT]”.
 EXAMPLE

Above show a sample of email without any rule.

- To implement a rule, we’ll head over to the Exchange admin center and
click on mail flow on the left-hand menu
- From here we’re able to create email rules, We will click the “+” icon,
and select “Create a new rule.. “
-

- In below, named our rule “Received from scope outside the

organization”. The rule is applied if:

1. The sender is outside the organization (securityblue.team.domain)

2. AND the recipient is inside the organization
- If these two conditions are met, then prepend the subject of message
with “[EXTERNAL]”
- You can see the completed rule below on the right-hand side.
-

- So now if we send another email to our @securityblue.team mailbox

from our gamil address, we can see the email is now being mark
 PREVENTATIVE: Email Security Technology
 Anti-Spoofing Records:
- Use DNS records which offer the ability to set up anti-spoofing records.
- SPK, DKIM and DMARC can be used together to help strengthen the
security of an organization’s email service.

 SPF Records
- A Sender Policy Framework (SPF) record is a type of DNS (TXT) record
that can help prevent an email address from being forged.
- This record is established to identify the hostnames or IP addresses
that are allowed to send emails for your custom domain.
- When having an SPF record specified on your domain, it helps prevent
a malicious actor from spoofing your domain.
- The SPF TXT record contains three parts: the declaration of the record
type, the IP addresses and external domains that can be sent on your
domain’s behalf and an enforcement rule.
- The basic syntax of the record is
V = spf1 <IP> <enforcement rule>
- For example, securityblue.team has the following SPF record:
V=spf1 a:include:mailgun.org protection.outlook.com -all
- We can see the record declares that it’s an SPF record, that it allows
mail to be sent from mailgun.org and protection.outlook.com and the -
 all specifies that the email will show a hard fail if the domain is spoofed
by an unauthorized sender.

 DKIM Records:
- Domain Key Identified Mail (DKIM) is a method of email authentication
that cryptographically verifies if an email has been sent by its trusted
servers and hasn’t been tampered with during transmission.
- The way that DKIM works is that when mail server sends an email, an
encrypted hash of the email contents is generated using a private key
and then it adds this hash to the email header as a DKIM signature.
- The receiving server will be able to verify whether the email contents
have not been tampered with by looking up the corresponding public
key in the domain’s DNS records.
- Once the receiving mail server decrypts the email with the public key,
it calculates a new hash and verifies whether the original and the
newly generated hash match to ensure email message integrity.
- The basic syntax of the record is:
V = DKIM1 <key type> <public key>

 DMARC Records
- Domain-based Message Authentication, Reporting & Conformance
(DMARC) is an email authentication, policy, and reporting protocol.
- This type of record allows the domain owner to specify what should
happen if emails fail both SPF and DKIM checks.
- There are three basic options that the mail server can take, none,
quarantine, and reject.
- The basic syntax of the record is:
V = DMARC1 <action> <report address>
For example, securityblue.team could have the following record
V=DMARC1; p-quarantine; rua=mailto:contact@securityblue.team
- We can see that the record declares that it’s a DMARC record, that it
sets emails to go to the quarantine/spam folder when failing both
checks, and that aggregate reports are sent to
contact@securityblue.team of the emails that have failed DMARC.
 PREVENTATIVE: Spam Filter
- Spam can be classified as unwanted commercial emails or soliciting
emails and these messages can often lead to annoyances, lost
time/money, and potentially malware defending on the intention of the
spammer and the action done by user.
- Main types of filters
1. Gateway Spam Filter: Ones that sit behind an on-premises firewall of
a network. These can often be utilized by larger enterprise
organizations and an example of a gateway filter is the Barracuda
email security gateway.
2. Hosted Spam Filters: These are the ones that are hosted within the
cloud. These works are very similar to gateway spam filters but can
update more quickly than some of the on-premises filters and an
example of a hosted filter is Spam Titan.
3. Desktop Spam Filter: These filters are user-installed and are
typically used in SOHO scenarios. One major drawback of these
kinds of filters is that they can sometimes be categorized as
“Freeware”, and you may not fully know what application is
installing on your system.

 PREVENTATIVE: Attachment Filtering

- One way to stop malware from being delivered to employees’
mailboxes is by limiting what types of files are allowed to come into the
organization as email attachments.
 Filtering:
- It isn’t a good idea to block attachments outright – employees will have
difficulty sending legitimate documents internally and externally.
- Email gateways and email security tools will often allow for different
actions to be taken once a certain attachment has been identified such
as scanning it for malicious indicator, blocking the email from being
delivered, quarantining the email, stripping the attachment, alerting
the email gateway administrator, sending an email to specific
recipients about the activity or generating logs which can be ingesting
by a SIEM platform and used to generate an alert for security analysis.

 PREVENTATIVE: Attachment Sandboxing

- Pre-defined rules and configuration are used to block specific file types
or naming conventions, meaning that files that look legitimate, such as
Microsoft Office Documents with malicious macros can sail through and
land in employee mailboxes. So, sandboxing is required, where
everything is monitored to see what happens when a file is executed.

 PREVENTATIVE: Security Awareness Training

- Should know a phishing email such as
1. Coming from an unknown sending address
2. Improper grammar and spelling mistakes
3. Poor styling
4. Trying to get the recipient to click on a button or complete an action
5. Suspicious URLs and attachments.

 Simulated Phishing Attacks

- It is common for security-conscious organizations to launch simulated
phishing attacks against their own employees in order to determine
how effective their current security awareness training is.

 REACTIVE: Immediate Response process

- Immediate response is the steps the investigating analyst should take
once they have identified a phishing email from detection through to
concluding their investigation report. These steps will work to triage
the attack and take measures to address the risk generated by
malicious emails being successfully delivered to employee mailboxes.
The steps are:
1. Retrieve an original copy of phishing email
2. Gather artifacts from the phishing email
3. Inform the recipients that received the email
4. Investigate malicious artifacts to collect indicators of compromise
that can be blocked to protect the organization
5. Take defensive measures
6. Complete the investigation report, documenting all of the above
steps

 Blocking Email Artifacts:

 - Email Sender
- Sender domain
- Sending server IP
- Subject line

 Bloking Web Artifacts:

- Use web proxy for URL blocks, domain blocks
- Use DNS Blackholing ( process of creating a fake DNS entry so if an
employee tires to access one url but actually be sent to another site.)
- Use firewall

 REPORT WRITING
- Must include
1. Email header details, artifacts collected, and a description of the
body content
2. Users affected and action taken to notify them
3. Analysis process, tools used, and results
4. Defensive measure taken
5. Lesson Learned

 Email Header and Artifacts

- Email Header
1. Sending Email Address
2. Reply-to Address
3. Date sent
4. Sending Server IP
5. Recipient(s)
6. Subject Line

Email with URLs:

- Any relevant URLs (sanitized)

Email with Attachments:

- File Name(s) + Extension

- MD5 Hash(es)

 Email Body Content

- In whatever platform you’re using to store investigation notes, we
would attach the email file directly to our case so that we have a copy
of it for as long as needed.
- It’s a good practice to include a brief description of the email and a
screenshot in you case notes, saving other analysts the hassle of
downloading and opening the email file in a client themselves.
-