Phishing Mail Investigation

 

Phishing investigation

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

 

In SIEM investigation.

Phishing mails reports us

1. Customers

2. Employees or

3. We get alert In SIEM tool.

 

The investigation following

Firstly we requested to employee or customers to send saved email.

Once we receive mail

àWe have to save mail

  Go to properties.

Copy the complete in Internet Header information

Then we have Threat Intelligence tool

Mx tool Box open

In Header Analyzer

 

Then Paste

 

In Header analyzer part..

Need to check

Following point

 

1. SPF : sender policy  Framework 

Find the Original Sender ip address then check reputation of this from various Threat Intelligence (TI) tools.

 

1. Mx tool box

2. Ipvoid

3. Ibm x force

 

2. SCL  : Spam confidence level ( 0 to 5  check malicious level)

3. DKIM : (Domain keys identified mail)

DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.

4. DMARC :( Domain-based Message Authentication Reporting and Conformance)

 DMARC is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

 

Need to check they value

We can conclude whether mail is malicious or not.

 

 

Then

Need to check return path also

Whether sender is same address.

 

Carefully observations required to identification of suspicious sender.

 

After analyzing Header part 👇🏿 

 

Need to check body of the Mail

 

Need to check

 

1. Urls or hyper links

2. Any attachments.

3. Any images which contain hyperlinks.

 

 

If any links or url present

 

Check reputation of those by using TI tools

 

Like

1. Virus tool

2. Url scan

3. Url void

4. Where Go

5. Anyrun

 

Note the reputation of the url or hyper links

 

If any attachments are present

 

Need to sandbox

From open source TI tool

1. Virus total

2. Hybrid analyzer

3. Any run.

 

Note the reputation of this.

 

Based on the present investigation we conclude that whether phishing TP or FP.

 

 

If mail is TP

 

Need to check with

Email Gateway team

 

By sending Url, sender mail, domain , and subject line.

 

They will give entire report about the mail

 

Like

How many users get same mail

How many users are clicked

How many users opened mail.

 

If users are not opened or clicked

We requested to delete the mail.

 

And also need to check

Basic knowledge on the emails

 

1. Phisher use personal accounts like g mail, yahoo, outlook.

2. They don’t follow proper greetings

 

3. Spelling mistake will be there .

4 . signature not mentioned

5. Threating and urgent we can observed.

 

Remediation: 

1. Update firewall team to Block Ip address

2. Update url or domain to block proxy team.

3. Email id with e mail gateway team .

 

And also give awareness relevant to phishing emails

 like

 

1 .Always, Always Think Twice Before

Clicking

2. Two Factor Authentication (2FA)

3. Don’t click on links, type them directly in

   the URL

4. Verify link first before clicking

(www.virustotal.com)

5. Hover mouse on link to be sure its legit

before clicking

 

 

6. Be very suspicious of any caller who asks

you to share login information over the

phone.

7. If a caller asks you to provide account

Data or personally identifiable

Information, refuse to do so

8. Security won’t call you to request that

 you change logins, passwords, or network

  settings.

9. Always do a 2nd Verification of suspicious

 Calls

Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

Which tools and software do we need?

 We will need some software when applying the dynamic analysis method. Let's take a look at these software categories. Virtualization Software We do not want to conduct dynamic analysis on our own system as we need to run the malware to be able to examine its activities. For this reason, we should make use of Virtualization Software that helps us work on some virtual systems. Thanks to these software, you can use a different operating system on your host operating system. If they are configured properly, you can perform your analysis safely, as malicious software cannot escape from this virtual operating system. It is useful to make a small note here on these virtualization software. Since these virtualization environments are essentially software, various vulnerabilities that allow malwares to escape out of these virtual environments and allow code executions on the host operating system may occur on these environments. For this reason, It is crucial to keep your virtualization so...
Read more

Packet drafting for IDS_IPS

 Table of contents Introduction Scapy-Overview Snort-Rule References Introduction In this article will demonstrate how we can generate packet that can test/trigger rule in Snort or Suricata using Scapy. Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. Scapy Overview To run Scapy write scapy in your linux terminal as following: ┌──(kali㉿kali)-[~] └─$ sudo scapy [sudo] password for kali:                                                              aSPY//YASa                     apyyyyCY//////////YCa  ...
Read more