created 2022-12-27

!!! attention attention !!! --> phishing investigation readme <-- !!! attention attention !!!

please read this carefully!

it can help you to understand potential pitfalls...


first :

--> do not click at the links pointing to the potential phishing site, without modification.

second :

--> do not post any link to online forensic tools, without modification.

third :

--> do not open attachments at your "office" devices. please use a forensic box.

fourth :

--> do not upload attachments to online forensic tools, without verification that the content is not confidential.


i know, should be obvious. if you look at online forensic tools, you will find email addresses exposed.

head

created 2022-12-27

how to investigate a phishing email part 0

how do you get phishing emails into your "soc" inbox

option number one:

--> the user is reporting the potential phishing email manually. please ensure that the potential phishing emails is forwarded as attachment. for investigation purpose it is nice to have the headers.

option number two:

--> some email programs allow plugins/add-ins. you can write your own plugin/add-in, which forwards the potential phishing email as attachment to the soc inbox. (and if you are running a siem, you may also want to have an event triggered, that a potential phishing email is in your soc inbox.)

option number three:

--> you have purchased option number two (just ensure you can reroute the traffic to your soc inbox and are not forced to use an other portal.)

option number four:

--> you are an office365 customer and have the correct license purchased. (do not forget to put the transportation rules in place and point them to the soc inbox. otherwise those will be reported to ms directly.


ok, now you got a potential phishing email in your soc inbox.

let's split the investigation into four parts.

head

created 2022-12-xx

how to investigate a phishing email part 1

work in progress

head

created 2022-12-17

spf

spf, or sender policy framework, is a technique that allows a domain owner to specify which servers are allowed to send email on their behalf. this can help prevent someone from sending an email that appears to be from a domain they don't own.


high-level steps to implement spf, you will need to do the following:


- identify all the servers that are allowed to send email on your domain's behalf. this may include your own mail servers, as well as any third-party servers you use for sending email (such as a marketing platform).

- create a list of these servers, along with their IP addresses, in the form of an SPF record. this record should be added to the dns settings for your domain.

- once the spf record is added, any time someone receives an email from your domain, their mail server will check the spf record to see if the server that sent the email is allowed to send email on your domain's behalf. if the server is not on the list, the email may be marked as spam or rejected.

- you can also specify in the spf record whether you want to allow third-party servers to send email on your domain's behalf, or whether you want to strictly limit it to your own servers. this is known as the "policy" for your spf record.

- it's important to regularly review and update your spf record to make sure it accurately reflects the servers that are allowed to send email on your domain's behalf. this will help ensure that your emails are delivered successfully and are not marked as spam.

head

this is the end and thanks for the fish!

head

created 2022-12-27

disclaimer, things on top of the license

- just to say, i do not receive any money or whatever from any vendor, which product i mention in my articels.

- all process are my own opinion.

head