Combat phishing emails with SOAR

​Email is an indispensable communication tool and is used on a daily basis. Unfortunately, many attacks also originate via emails. Phishing Incidents in organization has doubled since the pandemic from last year. It is the most common Social Engineering tactic to gain initial access for any attack. PhishLabs have identified almost 47% more phishing sites in the year 2021 than there were in the year of 2020. This trend is continuing as attacks are also up significantly year-over-year.

Of the phishing attacks detected, the top five targeted industries were:

• Social Media

• Financial

• Webmail and Cloud Services

• Ecommerce

• Telecommunications

This upsurge in Social Engineering attacks has drastically increased the phishing alerts handled by Security Analysts on a daily basis, resulting in an inefficient Incident Handling which might lead to a major security incident. To address the above challenge of any Incident Response Team is where SOAR i.e. Security Orchestration and Automated Response comes into picture to define Incident Analysis and response procedures in a digital workflow format.

Our Managed Service offers Next-Generation SOAR solution, combining security orchestration and automation with the predictive capabilities of the MITRE ATTACK framework that gives analysts the context they need to address advanced threats, while its codeless playbooks enable easily adaptable workflows and integrations with minimal maintenance. Some of the world’s most sophisticated organizations are successful in standardizing, automating and speeding incident response across their people, processes and technologies with SOAR.

We have developed an automated Phishing investigation workflow that streamline incident triage, reducing MTTR and empowering Analyst by increasing the efficiency of decision making and remediation.

Phishing Investigation Playbook


Core Phishing Investigation Methodologies

1. Email Header Analysis: The header is like a passport for your email. There is a ton of information in the header about the route taken by an email i.e. an entry at every stop along the way by the email server it encounters. Below are the few mandatory checks to be performed on an Email Header:

• Check DKIM, DMARC, SPF status whether it is passed, failed or neutral.

• Return-Path: see if the email address in this entry matches the email address in the “From:” entry.

• Reply-To: see if the email address in this entry matches the email address in the “From:” entry.

• X-Distribution: if this field’s value is bulk. This indicates bulk/spam email.

• X-Mailer: field indicates the email client. If it includes weird names, be suspicious.

• X-Spam score, X-Spam flag and X-Spam status entries help determine “spam probability”.

2. Email Body Analysis: Most SPAM or Phishing Emails contains URLs in the email body which might redirect to some Malicious Websites for Credential Harvesting or Malware download.

• Check for such malicious links embedded in text or HTML images in the Email Body. 
• Cross check the same with Threat Intel information on the IOCs or Detonate in any Sandboxing solution for detailed information on the behavior of Malicious URLs and associated attacker groups.

3. User/Endpoint Enrichment: Users are the most vulnerable link when it comes to security penetration. Lack of awareness on the consequences can lead them to access malicious websites or download malwares that must be investigated.

• With previous email header and body analysis showing suspicious traces, we can use our AD to perform an internal enrichment using User’s Employee details, Sign-Ins, Login Locations etc. and to confirm if user has accessed the URL or opened any attachments via email communication.

• Using the User Information, we can check for any Endpoint Alerts on the user’s Host Machine for any Suspicious Activities like Malware, C2C etc.

4. Attachment Analysis: Phishing emails might contain attachments which are in legitimate file formats like docs, pdfs and excels with a malicious intent like creating backdoor for C2C communication for Exfiltration or for Lateral Movement.

• Most of these files can be investigated by creating Hash of the files and check in threat Intel Platform for known Malwares. 

• We can use Sandboxing solution which can provide detailed analysis of how the file will behave when it is opened and also the attack pattern which might help to track the attack groups or APT.

5. Scope Discovery and Remediation: When the result of the previous analysis points out to be a Phishing incident, we can widen our scope of investigation and perform set of response actions accordingly. 

• Similar emails received by other users, must be further removed from their mailbox for preventing them from clicking URLs/Downloading files.

• We can also investigate on User Machines, whether Malicious files have been downloaded or any suspicious URLs have been clicked based on which we can isolate the affected machine for further forensics as well as for restoration process.

We the Cybersecurity Engineering Team at Zensar have automated our well-versed Investigation process with proven expertise in manual threat Hunting leveraging the power of codeless playbooks with 200+ integrations and thousands of automated actions integrated in SOAR for faster Incident response.