Phishing

Messages with links are nightmare. Make sure that no one clicked on link, submit credentials,... Try to convince victims - if they clicked - that nothing bad happen to them from management. Cooperation is a key.

In this case is crucial to get all evidence (e-mail with headers, not just body). From headers you can find who and how sended that phishing e-mail. Also there is a lot of other usefull information (DKIM, DMARC)

In case where one institution is targeted, make sure that you have access to mail server. Because you want to know who are other victims (if they are - on the other hand, this is spearphishing, someone really wants to get those credentials from one specific person).

tl;dr

Get the e-mail with headers
1. Who sended it? (IP, From, Reply-to, DKIM, DMARC and spam records)
Verify (on webserver) who also get this e-mail
1. One recipient > Spearphishing
  1. Why is this person targeted?
2. More > Phishing
Check who got phished
1. Who (from recipients) clicked on link?
  1. Who submit data (credentials, credit card data,...)?
    Phished person have to change password(s) on all services even personal!
How does e-mail look like
1. Well prepared?
  1. Simillar to service you are using?
  2. Containing some internal information?
  3. Logos?
Analyze site, where is phishing hosted
1. Hacked site, phishing in subdirectories?
  1. Notify site owner
2. New, shiny site with certificate, tailored to your company?
  1. Get certificate info from transparency list
Lessons learned
1. Educate users
  1. Do not click & Report
2. Enhance detection methods
3. Check DKIM, DMARC setup
  1. Only right SMTP(s) can send e-mail from your domain

This links to MITRE ATT&CK could be also usefull: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service and User Execution

PreviousOverview NextExfiltration

Last updated 4 years ago