Email filters are pretty good these days, but nasty emails still slip through the cracks and land in our users’ inboxes. Whenever a phishing or spam email lands, I like to hit back as hard as possible. This article describes the measures I like to take whenever I become aware of a malicious email.
Much of this process is based on the links on SwiftOnSecurity‘s GotPhish.com website.
Step 1: Evaluate, and Create a Public Record
Most emails of malicious intent are designed to lure you into a webpage – usually a hacked website hosting malware or phishing. I like to start my process by focusing on the destination site.
Don’t ever open the URL – just copy and paste the malicious URL from the email into URLQuery and VirusTotal.
These services serve two purposes:
- Check the redirects, and see a screenshot of the final page
- Create a public record for security companies
This second point is worth explaining. These services have a public list of all URLs scanned, and security researchers constantly ping these lists and check them for URLs that should be taken down or blocked. Often, URLs I submit to these two services get blocked by my filtering vendor within a couple of hours.
Step 2: Report to third parties
If your URL is phishing, report it directly to Google, Microsoft, and your filtering company (if you have one). This will get the sites blocked in as many browsers as possible.
Step 3: Report to the hosting company
In my experience, this step is the least effective. Hosting companies and domain registrars generally have abuse departments – but their response can take days.
Use a WHOIS service to find the hosting company serving this domain, do a quick Google search to find their abuse email address, and send them the Domain, IP Address, URL, and any other information you can find.
Step 4: Update in-house filters
If you use Exchange or Office 365, I highly recommend setting up Transport Rules to catch common phishing attempts.
At my day-job, I’ve setup a large list of common phrases and regexes to prepend a warning banner to incoming emails. Many of these rules focus on Office 365 phishing emails, which Microsoft are still surprisingly bad at catching.
The trick is to keep the rules tight enough not to trigger too many false positives, but general enough to catch as much spam as possible.
Step 5: Report to the email provider
Once you’ve dealt with the website itself, you can now engage in a quick process to report the email provider. Open the Email Headers, locate the sending IP address, run a WHOIS to find the web host, and email their abuse team with all the headers and the contents of the email.
How do you find phishing email in the first place?
All this is very well and good, but how do you find emails in the first place? Do you rely on users to forward them to you?
Often criminals are dumb, and hit many email addresses in an organisation with the same campaign in a short period. Exchange and Office 365 have tools to help you monitor the subject lines, senders, and recipients of emails across your entire organisation – so keeping an eye on your message trace for patters is helpful.
Some people like to setup honeypots – email addresses that are posted in as many public places as possible, with the sole purpose of getting sent spam email. These are helpful, but you can fall into the trap of protecting yourself against emails you otherwise wouldn’t receive.
Generic email addresses – such as mail@, info@, support@, accounts@, and privacy@ – are great targets of spam, as are any high-profile staff members (CEO, CFO, etc.). Educate these users in particular, and consider setting up extra monitoring on these obvious targets.