Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
carnivorouz Absent Member.
Absent Member.

Gone Phishing

Original posting as chasemullins.com


Log Sources: Log all the things!!  However, for the purpose of this post you only need your Exchange logs and those from your spam gateway (Cisco IronPort in this example).

Scenario: Phishing has evolved far beyond Nigerian scams to the point that it will catch even the tech savvy from time to time.  Spam gateways go a long way in prevention but they still lack the intelligence to catch decent phishing.

Purpose: Provide early detection of phishing email.

Exchange will often lie as to the SMTP sender.  IronPort however, does not.  i.e. joeblow@evil.com will masquerade as sally@yourcompany.com, Exchange will display it as such, the recipient will trust the email and the hyperlink that leads to the malicious payload.  Compromise complete….sit back and profit.

As you can see, this is a true correlation rule that compares Exchange and IronPort logs for the following:

  1. Is the recipient the same?
  2. Is the sender different? (detects the masquerading mentioned)
  3. Did IronPort see the event first?
  4. Lastly, are the Subject lines the same? In Exchange, the Subject comes in as message.  IronPort however, logs it as Device Custom String 6.  A contains operator is used only because the subject has a space before it in Exchange events, at least as of connector version

Get your aggregation correct:

Above everything, this proved to be the most crucial part of this rule.  Variations of # of matches within a longer timeframe caused the rule to deactivate due to excessive partial matches.

Play with your own phishing rules and let me know if you get something better with the same logs. Prost!

Tags (2)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.