Phishing Prevention
Learn how to defend against phishing emails.
Last updated
Learn how to defend against phishing emails.
Last updated
Some actions a defender can take to protect users from malicious emails:
Email Security (SPF, DKIM, DMARC)
SPAM Filters (flags or blocks incoming emails based on reputation)
Email Labels (alert users that an incoming email is from an outside source)
Email Address/Domain/URL Blocking (based on reputation or explicit denylist)
Attachment Blocking (based on the extension of the attachment)
Attachment Sandboxing (detonating email attachments in a sandbox environment to detect malicious activity)
Security Awareness Training (internal phishing campaigns)
Per MITRE ATT&CK Framework, is classified as Technique ID 1598 (T1598); the Mitigation section under Software Configuration:
What is the MITRE ID for Software Configuration?
M1054
Sender Policy Framework is used to authenticate the sender of an email. ISPs (Internet service providers) can verify if a mail server is authorized to send email for a specific domain. An SPF record is a type of DNS TXT record containing a list of IP addresses allowed to send email via the domain.
How does a basic SPF record look like?
v=spf1 ip4:127.0.0.1 include:_spf.google.com -all
An explanation for the above record:
v=spf1 -> This is the start of the SPF record
ip4:127.0.0.1 -> This specifies which IP (in this case version IP4 & not IP6) can send mail
include:_spf.google.com -> This specifies which domain can send mail
-all -> non-authorized emails will be rejected
What is the SPF rule to use if you wish to ensure an operator rejects emails without potentially discarding a legitimate email?
What is the meaning of the -all tag?
DKIM (DomainKeys Identified Mail) is used for authentication of an email being sent. DKIM is open standard for email authentication used for DMARC alignment. DKIM record exists in DNS with the advantage that is can survive forwarding, making it superior to SPF when securing email.
How does a DKIM record look like?
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTQIC7vZAHHZ7WVv/5x/qH1RAgMQI+y6Xtsn73rWOgeBQjHKbmIEIlgrebyWWFCXjmzIP0NYJrGehenmPWK5bF/TRDstbM8uVQCUWpoRAHzuhIxPSYW6k/w2+HdCECF2gnGmmw1cT6nHjfCyKGsM0On0HDvxP8I5YQIIlzNigP32n1hVnQP+UuInj0wLIdOBIWkHdnFewzGK2+qjF2wmEjx+vqHDnxdUTay5DfTGaqgA9AKjgXNjLEbKlEWvy0tj7UzQRHd24a5+2x/R4Pc7PF/y6OxAwYBZnEPO0sJwio4uqL9CYZcvaHGCLOIMwQmNTPMKGC9nt3PSjujfHUBX3wIDAQAB
An explanation of the above record:
v=DKIM1-> This is the version of the DKIM record. This is optional.
k=rsa -> This is the key type. The default value is RSA. RSA is an encryption algorithm (cryptosystem).
p= -> This is the public key that will be matched to the private key, which was created during the DKIM setup process.
Which email header shows the status of whether DKIM passed or failed?
Authentication-Results
DMARC (Domain-Based Message Authentication, Reporting, and Conformance) uses alignment to tie the result of two other open source standards, SPF and DKIM, to the content of an email. Putting a DMARC record into place for a domain will give feedback allowing for troubleshooting SPF and DKIM configurations if needed.
How does a basic DMARC record look like?
v=DMARC1; p=quarantine; rua=mailto:postmaster@website.com
An explanation of the above record:
v=DMARC1 -> Must be in all caps, and it's not optional
p=quarantine -> If a check fails, then an email will be sent to the spam folder (DMARC Policy)
rua=mailto:postmaster@website.com -> Aggregate reports will be sent to this email address
All emails that fail the DMARC check will be rejected.
Which DMARC policy would be used to not accept an email if the message fails the DMARC check?
If Bob wishes to use S/MIME, then he'll need a digital certificate. This digital certificate will contain his public key.
With this digital certificate, Bob can "sign" the email message with his private key.
Mary can then decrypt Bob's message with Bob's public key.
Mary will do the same (send her certificate to Bob) when she replies to his email, and Bob complete the same process on his end.
Both will now have each other's certificates for future correspondence.
What is nonrepudiation?
The uniqueness of a signature prevents the owner of the signature from disowning the signature.
Examining the PCAP file with SMTP traffic, focusing on SMTP codes:
What Wireshark filter can you use to narrow down the packet output using SMTP status codes?
smtp.response.code
Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)
One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)
Based on the packet from the previous question, what was the message regarding the mailbox?
What is the status code that will typically precede a SMTP DATA command?
Analyze trivial SMTP traffic.
What port is the SMTP traffic using?
How many packets are specifically SMTP?
What is the source IP address for all the SMTP traffic?
What is the filename of the third file attachment?
How about the last file attachment?
SMTP has been abused by adversaries for C2 (Command and Control) communications.
MITRE ATT&CK:
Per MITRE, "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."
Several notable groups, such as APT 28, APT 32, and Turla, to name a few, have used this technique.
Recommended mitigation (per MITRE):
"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."
Detection opportunity (per MITRE):
"Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data."
Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?
Phishing incident response playbook is a defined process that should be followed in a specific phishing incident.
Phishing IR Playbook:
Per the playbook, what framework was used for the IR process?
NIST
Refer to the SPF Record Syntax on dmarcian and .
Refer to this resource on on how to create your own SPF records.
Refer to the DKIM resource and for additional information.
Refer to the DMARC resources and for additional information on DMARC tags. Review the following resource about DMARC .
Using the Domain Health Checker from , check the DMARC status of microsoft.com.
(Secure/Multipurpose internet Mail Extensions) is a protocol for sending digitally signed and encrypted messages.
Using , S/MIME guarantees data integrity and nonrepudiation.
Refer to this Microsoft documentation for more information on S/MIME and steps on how to configure Office 365 to send/receive S/MIME emails.
Technique 1071 > Sub-Technique 3:
