Phishing Prevention

Learn how to defend against phishing emails.

Some actions a defender can take to protect users from malicious emails:

  • Email Security (SPF, DKIM, DMARC)

  • SPAM Filters (flags or blocks incoming emails based on reputation)

  • Email Labels (alert users that an incoming email is from an outside source)

  • Email Address/Domain/URL Blocking (based on reputation or explicit denylist)

  • Attachment Blocking (based on the extension of the attachment)

  • Attachment Sandboxing (detonating email attachments in a sandbox environment to detect malicious activity)

  • Security Awareness Training (internal phishing campaigns)

Per MITRE ATT&CK Framework, Phishing is classified as Technique ID 1598 (T1598); the Mitigation section under Software Configuration:

https://tryhackme-images.s3.amazonaws.com/user-uploads/5de58e2bfac4a912bcc7a3e9/room-content/cf22ce3f7772210792332bae5083cd7f.png

What is the MITRE ID for Software Configuration?

M1054

SPF (Sender Policy Framework)

Sender Policy Framework is used to authenticate the sender of an email. ISPs (Internet service providers) can verify if a mail server is authorized to send email for a specific domain. An SPF record is a type of DNS TXT record containing a list of IP addresses allowed to send email via the domain.

Credit to dmarcian for image

How does a basic SPF record look like?

v=spf1 ip4:127.0.0.1 include:_spf.google.com -all

An explanation for the above record:

  • v=spf1 -> This is the start of the SPF record

  • ip4:127.0.0.1 -> This specifies which IP (in this case version IP4 & not IP6) can send mail

  • include:_spf.google.com -> This specifies which domain can send mail

  • -all -> non-authorized emails will be rejected

Refer to the SPF Record Syntax on dmarcian here and here.

Refer to this resource on dmarcian on how to create your own SPF records.

What is the SPF rule to use if you wish to ensure an operator rejects emails without potentially discarding a legitimate email?

v=spf1 ~all

What is the meaning of the -all tag?

fail

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is used for authentication of an email being sent. DKIM is open standard for email authentication used for DMARC alignment. DKIM record exists in DNS with the advantage that is can survive forwarding, making it superior to SPF when securing email.

How does a DKIM record look like?

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTQIC7vZAHHZ7WVv/5x/qH1RAgMQI+y6Xtsn73rWOgeBQjHKbmIEIlgrebyWWFCXjmzIP0NYJrGehenmPWK5bF/TRDstbM8uVQCUWpoRAHzuhIxPSYW6k/w2+HdCECF2gnGmmw1cT6nHjfCyKGsM0On0HDvxP8I5YQIIlzNigP32n1hVnQP+UuInj0wLIdOBIWkHdnFewzGK2+qjF2wmEjx+vqHDnxdUTay5DfTGaqgA9AKjgXNjLEbKlEWvy0tj7UzQRHd24a5+2x/R4Pc7PF/y6OxAwYBZnEPO0sJwio4uqL9CYZcvaHGCLOIMwQmNTPMKGC9nt3PSjujfHUBX3wIDAQAB

An explanation of the above record:

  • v=DKIM1-> This is the version of the DKIM record. This is optional.

  • k=rsa -> This is the key type. The default value is RSA. RSA is an encryption algorithm (cryptosystem).

  • p= -> This is the public key that will be matched to the private key, which was created during the DKIM setup process.

Refer to the DKIM resource here and here for additional information.

Which email header shows the status of whether DKIM passed or failed?

Authentication-Results

DMARC (Domain-Based Message Authentication, Reporting, and Conformance)

DMARC (Domain-Based Message Authentication, Reporting, and Conformance) uses alignment to tie the result of two other open source standards, SPF and DKIM, to the content of an email. Putting a DMARC record into place for a domain will give feedback allowing for troubleshooting SPF and DKIM configurations if needed.

How does a basic DMARC record look like?

v=DMARC1; p=quarantine; rua=mailto:postmaster@website.com

An explanation of the above record:

  • v=DMARC1 -> Must be in all caps, and it's not optional

  • p=quarantine -> If a check fails, then an email will be sent to the spam folder (DMARC Policy)

  • rua=mailto:postmaster@website.com -> Aggregate reports will be sent to this email address

Refer to the DMARC resources here and here for additional information on DMARC tags. Review the following resource about DMARC Alignment.

Using the Domain Health Checker from dmarcian.com, check the DMARC status of microsoft.com.

All emails that fail the DMARC check will be rejected.

Which DMARC policy would be used to not accept an email if the message fails the DMARC check?

sp=reject

S/MIME (Secure/Multipurpose Internet Mail Extensions)

S/MIME (Secure/Multipurpose internet Mail Extensions) is a protocol for sending digitally signed and encrypted messages.

Using Public Key Cryptography, S/MIME guarantees data integrity and nonrepudiation.

  • If Bob wishes to use S/MIME, then he'll need a digital certificate. This digital certificate will contain his public key.

  • With this digital certificate, Bob can "sign" the email message with his private key.

  • Mary can then decrypt Bob's message with Bob's public key.

  • Mary will do the same (send her certificate to Bob) when she replies to his email, and Bob complete the same process on his end.

  • Both will now have each other's certificates for future correspondence.

https://tryhackme-images.s3.amazonaws.com/user-uploads/5de58e2bfac4a912bcc7a3e9/room-content/4e01a85a20db9d2890d2b42c4ba1fd43.png

Refer to this Microsoft documentation here for more information on S/MIME and steps on how to configure Office 365 to send/receive S/MIME emails.

What is nonrepudiation?

The uniqueness of a signature prevents the owner of the signature from disowning the signature.

SMTP Status Codes

Examining the PCAP file with SMTP traffic, focusing on SMTP codes:

What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

smtp.response.code

Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)

<domain> service ready

One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)

156,553

Based on the packet from the previous question, what was the message regarding the mailbox?

mailbox name not allowed

What is the status code that will typically precede a SMTP DATA command?

354

SMTP Traffic Analysis

Analyze trivial SMTP traffic.

What port is the SMTP traffic using?

25

How many packets are specifically SMTP?

smtp
512

What is the source IP address for all the SMTP traffic?

10.12.19.101

What is the filename of the third file attachment?

attachment.scr

How about the last file attachment?

.zip

SMTP and C&C Communication

SMTP has been abused by adversaries for C2 (Command and Control) communications.

MITRE ATT&CK:

Per MITRE, "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."

Several notable groups, such as APT 28, APT 32, and Turla, to name a few, have used this technique.

Recommended mitigation (per MITRE):

"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."

Detection opportunity (per MITRE):

"Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data."

Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?

Zebrocy

Conclusion

Phishing incident response playbook is a defined process that should be followed in a specific phishing incident.

Phishing IR Playbook:

Per the playbook, what framework was used for the IR process?

NIST

PreviousPhishing Analysis ToolsNextThe Greenholt Phish

Last updated